Welcome! » Log In » Create A New Profile

Always escape double quotes (")

Posted by test343 
test343
Always escape double quotes (")
March 02, 2009 08:35AM

Hi!

How can I set up HTML Purifier so that double quotes (") being always escaped (even outside of attributes)?

Thanks

Re: Always escape double quotes (")
March 02, 2009 11:27AM

Why would you need such a feature?

There's no way to do this with configuration. You'll have to patch library/HTMLPurifier/Generator.php. If you can provide a compelling reason to have this feature, I can add it to the core.

test343
Re: Always escape double quotes (")
March 03, 2009 02:34AM

Thank you for reply. I just need always to escape double quotes so that html code withing input tag would be correct:

$value = $_REQUEST['some_param']; $value = purify_with_html_purifier($value); echo "";

but I DON'T want to mix html tags and user input: $value = $_REQUEST['some_param']; $html = purify_with_html_purifier(); echo($html);

because in this case I have to configure html purifier to allow "input" tags (and other tags) -- but I really don't want to allow users to input tags like this!

In addition it makes code difficult to read/modify and mixes the DATA and DATA REPRESENTATION.

By the way -- I as far as I understood in previous version of html purifier you did always escape double quotes. See http://htmlpurifier.org/svnroot/htmlpurifier/trunk/NEWS:

". Double-quotes outside of attribute values are now unescaped"

Re: Always escape double quotes (")
March 03, 2009 10:17AM

You must use htmlspecialchars() on the output, then. Any other way is invalid.

test343
Re: Always escape double quotes (")
March 04, 2009 03:36AM

You must use htmlspecialchars() on the output, then. Any other way is invalid.

Come on, read what I'm writting -- you DID escape double quotes in previous version but for some reason removed this in the current release! See http://htmlpurifier.org/svnroot/htmlpurifier/trunk/NEWS: ". Double-quotes outside of attribute values are now unescaped"

On the other hand you DO escape double quotes inside attribute! So why are you making a difference between "inside" and "outside" attribute cases?!

If I use htmlspecialchars why do I need htmlpurifier anyway???

I just want the user input be properly preprocessed before I put it in value attribute of html input tag. This is very clear and simple situation and it's very strange why htmlpurifier can not handle it!

Re: Always escape double quotes (")
March 04, 2009 11:10AM

There is, indeed, a one line patch that will give you the behavior you're looking for. I'm trying to explain why that's not what you want.

If I understand you correctly, you want to do something like:

<input type="text" value="INSERT HTML HERE" />

and have that show up normally inside of the resulting text box. Obviously, you can't have double quotes there. But what if you wrote the HTML like this?

<input type=&#039;text&#039; value=&#039;INSERT HTML HERE&#039; />

Well, it would be ok to have double quotes, but not to have single quotes.

Point of the matter is, whether or not quotes or single quotes need to be escaped is entirely your job, and depends on what your HTML looks like.

Furthermore, this is NOT valid HTML:

<input type="text" value="<b>" />

This, however, is:

<input type="text" value="&lt;b&gt;" />

And it also does exactly what you're are looking for. Try it if you don't believe me.

test343
Re: Always escape double quotes (")
March 12, 2009 02:43PM

OK :). Let me to explain it to you in other words if you don't understand. html purify DOES escape symbol &, right? Right! So that & comes into

&amp;

Now tell me what the big difference between escaping " symbol and escaping symbol &? How do you decide what symbol escape and what NOT escape? May be you like symbol & more than symbol " ??

Re: Always escape double quotes (")
March 12, 2009 03:30PM

We are required, by the W3C specification, to escape the symbol ampersand when it is not used as part of a character entity reference. No such requirement exists for double quotes and single quotes inside document text (they only must be escaped when they are included in an attribute that is delimited by its corresponding attribute).

Re: Always escape double quotes (")
July 20, 2009 06:10PM

The problem with not escaping the "(quotes) but escaping &(ampersand) to &amp; is that when trying to render HtmlPurifier output in a text box there is no good way to re-convert the string (i.e. escape just the quote and not have '&amp;' modified to "&amp;amp;".

Here's an example:

Original string: ">Hello";
HtmlPurifier output: "&gt;Hello"
Output of running htmlspecialchars() on this string before rendering in text box: &quot;&amp;gt;Hello&quot;

Desired output from HtmlPurifier: &quot;&gt;Hello&quot;

Makes sense?

Re: Always escape double quotes (")
July 22, 2009 02:08PM

isn't that what htmlspecialchars() double_encode parameter is for? http://us2.php.net/manual/en/function.htmlspecialchars.php

Re: Always escape double quotes (")
July 22, 2009 02:12PM

Double encode is not really what you want; it's a hack for when you haven't been paying close attention to the strings whizzing around in your application and you don't know whether or not you've got text or HTML or escaped text for HTML... It's not the "right" solution".

snanfi'"'"'"
Re: Always escape double quotes (")
September 13, 2015 10:59PM

test message test message

gg's
rsef's
March 31, 2016 06:10AM

jrk

"aaa"
Re: rsef's
April 25, 2016 10:37PM

"aaa"

Author:
Your Email:

Subject:

HTML input is enabled. Make sure you escape all HTML and angled brackets with &lt; and &gt;.

Auto-paragraphing is enabled. Double newlines will be converted to paragraphs; for single newlines, use the pre tag.

Allowed tags: a, abbr, acronym, b, blockquote, caption, cite, code, dd, del, dfn, div, dl, dt, em, i, ins, kbd, li, ol, p, pre, s, strike, strong, sub, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, var.

For inputting literal code such as HTML and PHP for display, use CDATA tags to auto-escape your angled brackets, and pre to preserve newlines:

<pre><![CDATA[
Place code here
]]></pre>

Power users, you can hide this notice with:

.htmlpurifier-help {display:none;}

Message: