posted on: 2008-05-01 12:16:34
PHP has some easy functions for using html escape strings. You can use it to make a reference, or formatting output.

>I haven't got down to business on "magic quotes" but this is a beggining of my expose'. First I make a form that submits to itself. Lets call it "escape.php" and the contents would be. 

  <form action='escape.php' method='POST' name='escapeform'>
    Input Code:
     <textarea name='escapeme' rows='5' cols='55'><? 
      echo $oldtext;
     ?></textarea>
    Output Code:
      <textarea name='escaped' rows='5' cols='55'><? 
        echo $newtext;
      ?></textarea>
    <input type='submit'/>
 </form>

Now we have a self submitting php form so I put my php code in the head and it looks like this: 

<?
  $oldtext = stripslashes($_POST['escapeme']);
  $newtext = str_replace('&','&amp;',htmlspecialchars($oldtext)); 
?>

And voila, you click submit and you get escape strings back. you can view it here. Notice the three PHP functions I use. "stripslashes()" gets rid of '\' on your quotes and "htmlspecialchars()" of course escapes all of your special characters, while the "str_replace()" finishes the job so that the "&" doesn't make your escape strings display as the value you need. Another page that does this with some more features is here:

Quick Escape

and I used this page for reference.

HTML escape strings

Comments

matt
2014-03-03 04:02:53
<script> alert("dangerous handling of script elements");</script>
<script> alert("the name could be dangerous");</script>
2014-03-03 04:10:58
Just check if the name is sanitized too.
irony?
2014-03-03 04:12:58
Having a page about escaping html elements, while allowing users to enter raw html...whoops.
create comment?
Name: