Thanks Christopher. I had spotted the problem of 'O'Really' and that was my reason for using double quotes in the display "O'Really" which didn't work. I think that the issue may be that while single quotes don't parse the enclosed string, double quotes do, and the "'" was exposed to the parser and turned further display off. Hope that makes sense. Thanks for the suggestion re htmlentities(). I'll take a whack at changing some of them to htmlspecialchars() and if it works I'll use the more efficient approach. I have the page coding set to UTF-8 in the headers. Regards, John ========== On Tue, 2021-11-30 at 17:34 +0100, Christoph M. Becker wrote: > On 29.11.2021 at 02:41, John wrote: > > > Thank you very much for your reply. Yes, addslashes() didn't > > resolve > > the problem. > > > > I am still trying to figure out why this should be an HTML issue > > since > > the echo command is only trying to place a known correct string in > > a > > specific place in the HTML statement. I would have expected > > everything to be correct here with maybe a problem when I pick up > > the > > input later. > > You're basically creating the following HTML: > > <input value='O'Really'> > > This is obviously invalid; the apostrophe in O'Really needed to > escaped > as '. Note that the HTML is not only invalid, but that missing > to > escape user input on output is the main reason for XSS > vulnerabilities. > > > I'm reading the documentation for both of htmlspecialchars() and > > htmlentities() to try and figure it out since I want to understand > > the > > situation. > > If you're going to produce UTF-8, htmlspecialchars() with the proper > arguments should be sufficient. There's no need to generate HTML > entities for all those non-ASCII characters. > > -- > Christoph M. Becker
