On Tue, July 17, 2007 2:03 pm, Nisse Engström wrote:
> On Fri, 13 Jul 2007 01:24:09 -0500 (CDT), "Richard Lynch" wrote:
>>
>> htmlspecialchars ONLY escapes four characters: < > & "
>>
>> htmlentities escapes ALL characters that need it
>
> What characters other than the four (or five)
> NEED escaping, and why?
All kinds of stuff, and to keep your site a) readable and b) safe.
For example, some people occasionally find a need to write an o with
an umlaut over it.
And sometimes they might type that right into a database form of some
kind.
And if that's being output, it needs to be converted to an HTML entity
so it will actually show up as an o with an umlaut, instead of, say,
capital A with a tilda followed by a paragraph symbol.
Now, in some cases, if you are using UTF-8 (or UTF-16) and if the
browser is supporting that, and if you've got the right headers and
META tags, most modern browsers will do the right thing...
Or not, in the case of the reply window I'm typing into right now,
which has turned your name into:
Nisse Engström
instead of:
Nisse Engström
Of course, it may get re-converted to who knows what before you see
it, but I'm not seeing the right thing...
There are actually SIMPLER characters involving only ASCII, but I
thought this particular example would drive the idea home better :-)
This script might help as well:
<pre><?php
for ($o = 0; $o < 256; $o++){
echo "$o: '", htmlspecialchars($o), "' versus '",
htmlentities($o), "'\n";
}
?></pre>
--
Some people have a "gift" link here.
Know what I want?
I want you to buy a CD from some indie artist.
http://cdbaby.com/browse/from/lynch
Yeah, I get a buck. So?
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
