Always escape double quotes (")

Hi!

How can I set up HTML Purifier so that double quotes (") being always escaped (even outside of attributes)?

Thanks

Why would you need such a feature?

There's no way to do this with configuration. You'll have to patch library/HTMLPurifier/Generator.php. If you can provide a compelling reason to have this feature, I can add it to the core.

Thank you for reply. I just need always to escape double quotes so that html code withing input tag would be correct:

$value = $_REQUEST['some_param']; $value = purify_with_html_purifier($value); echo "";

but I DON'T want to mix html tags and user input: $value = $_REQUEST['some_param']; $html = purify_with_html_purifier(); echo($html);

because in this case I have to configure html purifier to allow "input" tags (and other tags) -- but I really don't want to allow users to input tags like this!

In addition it makes code difficult to read/modify and mixes the DATA and DATA REPRESENTATION.

By the way -- I as far as I understood in previous version of html purifier you did always escape double quotes. See http://htmlpurifier.org/svnroot/htmlpurifier/trunk/NEWS:

". Double-quotes outside of attribute values are now unescaped"

You must use htmlspecialchars() on the output, then. Any other way is invalid.

You must use htmlspecialchars() on the output, then. Any other way is invalid.

Come on, read what I'm writting -- you DID escape double quotes in previous version but for some reason removed this in the current release! See http://htmlpurifier.org/svnroot/htmlpurifier/trunk/NEWS: ". Double-quotes outside of attribute values are now unescaped"

On the other hand you DO escape double quotes inside attribute! So why are you making a difference between "inside" and "outside" attribute cases?!

If I use htmlspecialchars why do I need htmlpurifier anyway???

I just want the user input be properly preprocessed before I put it in value attribute of html input tag. This is very clear and simple situation and it's very strange why htmlpurifier can not handle it!

There is, indeed, a one line patch that will give you the behavior you're looking for. I'm trying to explain why that's not what you want.

If I understand you correctly, you want to do something like:

<input type="text" value="INSERT HTML HERE" />

and have that show up normally inside of the resulting text box. Obviously, you can't have double quotes there. But what if you wrote the HTML like this?

<input type=&#039;text&#039; value=&#039;INSERT HTML HERE&#039; />

Well, it would be ok to have double quotes, but not to have single quotes.

Point of the matter is, whether or not quotes or single quotes need to be escaped is entirely your job, and depends on what your HTML looks like.

Furthermore, this is NOT valid HTML:

<input type="text" value="<b>" />

This, however, is:

<input type="text" value="&lt;b&gt;" />

And it also does exactly what you're are looking for. Try it if you don't believe me.

OK :). Let me to explain it to you in other words if you don't understand. html purify DOES escape symbol &, right? Right! So that & comes into

&

Now tell me what the big difference between escaping " symbol and escaping symbol &? How do you decide what symbol escape and what NOT escape? May be you like symbol & more than symbol " ??

We are required, by the W3C specification, to escape the symbol ampersand when it is not used as part of a character entity reference. No such requirement exists for double quotes and single quotes inside document text (they only must be escaped when they are included in an attribute that is delimited by its corresponding attribute).

The problem with not escaping the "(quotes) but escaping &(ampersand) to & is that when trying to render HtmlPurifier output in a text box there is no good way to re-convert the string (i.e. escape just the quote and not have '&' modified to "&".

Here's an example:

Original string: ">Hello";
HtmlPurifier output: ">Hello"
Output of running htmlspecialchars() on this string before rendering in text box: ">Hello"

Desired output from HtmlPurifier: ">Hello"

Makes sense?

isn't that what htmlspecialchars() double_encode parameter is for? http://us2.php.net/manual/en/function.htmlspecialchars.php

Double encode is not really what you want; it's a hack for when you haven't been paying close attention to the strings whizzing around in your application and you don't know whether or not you've got text or HTML or escaped text for HTML... It's not the "right" solution".

test message test message

jrk

"aaa"