SitePoint Sponsor

User Tag List

Results 1 to 4 of 4
  1. #1
    SitePoint Addict Mr Jojo's Avatar
    Join Date
    May 2007
    Posts
    322
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    JavaScript and htmlspecialchars in PHP (URGENT Please)

    These are two posts i made, the first one is when i think its PHP's bug, but in the second one i found out that is Javascript's problem..

    Quote Originally Posted by Mr Jojo View Post
    I have this function to filter HTML:


    PHP Code:
    function make_safe($variable) {

    $variable trim(htmlspecialchars($variable));

    return 
    $variable;


    So, imagine that $variable contains something like:



    After the make_safe function, the result is:



    And my question is, what happened to the ">" and "<" tags openers? They stayed the same!!
    The htmlspecialchars function should replace them for strings like:

    < = &lt;
    > = &gt;

    Am i right?
    Quote Originally Posted by Mr Jojo View Post
    I found the problem... Its javascript error. But i cant solve it yet..


    Java script interprets "&lt;br&gt;" as "<br>" and so on..

    Anyone knows how to avoid this?


    the "title" and "description" are the $variables that should be seen as "&lt;br&gt;" and not "<br>":

    Code JavaScript:
    function showpreview(title,description){
    		currentimageheight = 120;
     
    		document.onmousemove=followmouse;
     
    		newHTML = '<dl>';
    		newHTML = newHTML + '<dt>' + title + '</dt>';
    		newHTML = newHTML + '<dd>' + description + '</dd>';
    		newHtml = newHTML + '</dl>'
    		getpreviewobjnostyle().innerHTML = newHTML;
    		getpreviewobj().visibility="visible";
    	}


    How can i make JS encode the variables "tittle" and "description" like htmlspecialchars does?

  2. #2
    SitePoint Guru themightystephen's Avatar
    Join Date
    Mar 2005
    Location
    England
    Posts
    608
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    If I were you I would debug the program by echoing the string given to the functions at different points. Then you can clearly see where things are definitely going wrong. Have you tried htmlentities() instead of of htmlspecialchars() as one person suggested (in the thread you're referring to)?
    Get your heelys now at flywalk.co.uk - But what are heelys?
    Heelys are simply shoes with wheels in the heels!

    Flywalk.co.uk - The UK Heelys Retailer

  3. #3
    SitePoint Addict Mr Jojo's Avatar
    Join Date
    May 2007
    Posts
    322
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Yes.

    The string goes well to JavaScript "hands".

    I tried the echoes trick and everything was fine.
    The problem is that javascript decompiles what htmlentities and htmlspecialchars do.

    So, for JavaScript &lt;br&gt; is the same as <br> and making him show a line break instead of the "<br>" (the coded &lt;br&gt;)


    By other words:


    JAVASCRIPT INPUT = "&lt;b&gt; master &lt;/b&gt;"

    The JavasScript code is executed...

    JAVASCRIPT OUTPUTS = "master" instead of "<b>master</b>"

  4. #4
    SitePoint Enthusiast lkagan's Avatar
    Join Date
    Sep 2007
    Location
    Boca Raton, Florida
    Posts
    90
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Use the javascript escape() function.
    Larry Kagan
    Lead Web Application Developer
    Superiocity, Inc.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •