On 29.11.2021 at 02:41, John wrote: > Thank you very much for your reply. Yes, addslashes() didn't resolve > the problem. > > I am still trying to figure out why this should be an HTML issue since > the echo command is only trying to place a known correct string in a > specific place in the HTML statement. I would have expected > everything to be correct here with maybe a problem when I pick up the > input later. You're basically creating the following HTML: <input value='O'Really'> This is obviously invalid; the apostrophe in O'Really needed to escaped as '. Note that the HTML is not only invalid, but that missing to escape user input on output is the main reason for XSS vulnerabilities. > I'm reading the documentation for both of htmlspecialchars() and > htmlentities() to try and figure it out since I want to understand the > situation. If you're going to produce UTF-8, htmlspecialchars() with the proper arguments should be sufficient. There's no need to generate HTML entities for all those non-ASCII characters. -- Christoph M. Becker
