test343
Always escape double quotes (")March 02, 2009 08:35AM |
Re: Always escape double quotes (") March 02, 2009 11:27AM |
Admin Registered: 12 years ago Posts: 3,123 |
test343
Re: Always escape double quotes (")March 03, 2009 02:34AM |
Thank you for reply. I just need always to escape double quotes so that html code withing input tag would be correct:
$value = $_REQUEST['some_param']; $value = purify_with_html_purifier($value); echo "";
but I DON'T want to mix html tags and user input: $value = $_REQUEST['some_param']; $html = purify_with_html_purifier(); echo($html);
because in this case I have to configure html purifier to allow "input" tags (and other tags) -- but I really don't want to allow users to input tags like this!
In addition it makes code difficult to read/modify and mixes the DATA and DATA REPRESENTATION.
By the way -- I as far as I understood in previous version of html purifier you did always escape double quotes. See http://htmlpurifier.org/svnroot/htmlpurifier/trunk/NEWS:
". Double-quotes outside of attribute values are now unescaped"
Re: Always escape double quotes (") March 03, 2009 10:17AM |
Admin Registered: 12 years ago Posts: 3,123 |
test343
Re: Always escape double quotes (")March 04, 2009 03:36AM |
You must use htmlspecialchars() on the output, then. Any other way is invalid.
Come on, read what I'm writting -- you DID escape double quotes in previous version but for some reason removed this in the current release! See http://htmlpurifier.org/svnroot/htmlpurifier/trunk/NEWS: ". Double-quotes outside of attribute values are now unescaped"
On the other hand you DO escape double quotes inside attribute! So why are you making a difference between "inside" and "outside" attribute cases?!
If I use htmlspecialchars why do I need htmlpurifier anyway???
I just want the user input be properly preprocessed before I put it in value attribute of html input tag. This is very clear and simple situation and it's very strange why htmlpurifier can not handle it!
Re: Always escape double quotes (") March 04, 2009 11:10AM |
Admin Registered: 12 years ago Posts: 3,123 |
There is, indeed, a one line patch that will give you the behavior you're looking for. I'm trying to explain why that's not what you want.
If I understand you correctly, you want to do something like:
<input type="text" value="INSERT HTML HERE" />
and have that show up normally inside of the resulting text box. Obviously, you can't have double quotes there. But what if you wrote the HTML like this?
<input type='text' value='INSERT HTML HERE' />
Well, it would be ok to have double quotes, but not to have single quotes.
Point of the matter is, whether or not quotes or single quotes need to be escaped is entirely your job, and depends on what your HTML looks like.
Furthermore, this is NOT valid HTML:
<input type="text" value="<b>" />
This, however, is:
<input type="text" value="<b>" />
And it also does exactly what you're are looking for. Try it if you don't believe me.
test343
Re: Always escape double quotes (")March 12, 2009 02:43PM |
OK :). Let me to explain it to you in other words if you don't understand. html purify DOES escape symbol &, right? Right! So that & comes into
&
Now tell me what the big difference between escaping " symbol and escaping symbol &? How do you decide what symbol escape and what NOT escape? May be you like symbol & more than symbol " ??
Re: Always escape double quotes (") March 12, 2009 03:30PM |
Admin Registered: 12 years ago Posts: 3,123 |
We are required, by the W3C specification, to escape the symbol ampersand when it is not used as part of a character entity reference. No such requirement exists for double quotes and single quotes inside document text (they only must be escaped when they are included in an attribute that is delimited by its corresponding attribute).
Re: Always escape double quotes (") July 20, 2009 06:10PM |
Registered: 10 years ago Posts: 6 |
The problem with not escaping the "(quotes) but escaping &(ampersand) to & is that when trying to render HtmlPurifier output in a text box there is no good way to re-convert the string (i.e. escape just the quote and not have '&' modified to "&amp;".
Here's an example:
Original string: ">Hello"; HtmlPurifier output: ">Hello" Output of running htmlspecialchars() on this string before rendering in text box: "&gt;Hello" Desired output from HtmlPurifier: ">Hello"
Makes sense?
Re: Always escape double quotes (") July 22, 2009 02:08PM |
Registered: 11 years ago Posts: 204 |
isn't that what htmlspecialchars() double_encode parameter is for? http://us2.php.net/manual/en/function.htmlspecialchars.php
Re: Always escape double quotes (") July 22, 2009 02:12PM |
Admin Registered: 12 years ago Posts: 3,123 |
snanfi'"'"'"
Re: Always escape double quotes (")September 13, 2015 10:59PM |
"aaa"
Re: rsef'sApril 25, 2016 10:37PM |