Problem with Apostrophe

**DoubleDee** · Jul 8, 2012 11:20

When a user uploads a photo for their profile, I allow them to add an optional Photo Label like this...

Sam's Spiral GIF

To prevent against XSS attacks, I wrapped the Photo Label with htmlentities like this...

PHP Code:


        title='" . htmlentities($photoLabel) . "' />

The problem is that when I hover over the user's photo, I see this...

Sam & #039 ; s Spiral GIF

(I added spaces above because it keeps getting converted by SitePoint?!)

How can I use htmlentities() and get my output to look proper?

Thanks,

Debbie

**cpradio** · Jul 8, 2012 11:50

Might want to use addslashes instead

**DoubleDee** · Jul 8, 2012 12:14

Originally Posted by cpradio

Might want to use addslashes instead

But I believe addslashes() is intended for escaping data before it goes into a database.

I need to safely handle data during output to the screen...

Debbie

**spikeZ** · Jul 8, 2012 14:55

addslashes() on the way in
stripslashes() on the way out.

**Jeff Mott** · Jul 8, 2012 15:12

addslashes is related to SQL injection, so it doesn't apply here.

@Debbie I suspect that somewhere along the way, you've double-escaped the photo label. Check where the value of photoLabel comes from and everything is passes through, and make sure it hasn't already been run through htmlentities.

**DoubleDee** · Jul 8, 2012 16:52

Originally Posted by Jeff Mott

addslashes is related to SQL injection, so it doesn't apply here.

@Debbie I suspect that somewhere along the way, you've double-escaped the photo label. Check where the value of photoLabel comes from and everything is passes through, and make sure it hasn't already been run through htmlentities.

You would be correct.

Turns out I had htmlentities in a function above and then again in my HTML.

Thanks!

Debbie

**cpradio** · Jul 9, 2012 02:53

Originally Posted by Jeff Mott

addslashes is related to SQL injection, so it doesn't apply here.

@Debbie I suspect that somewhere along the way, you've double-escaped the photo label. Check where the value of photoLabel comes from and everything is passes through, and make sure it hasn't already been run through htmlentities.

It is true that addslashes is primarily for SQL Injections, but look at the code provided again.

PHP Code:


title='" . htmlentities($photoLabel) . "' />

Notice she has single quotes for the title attribute, so her output (without htmlentities) would have been title='Sam's Sprial GIF'. So my point is, addslashes would have worked here too but it wouldn't take care of XSS attacks like htmlentities would.

**Jeff Mott** · Jul 9, 2012 09:03

Originally Posted by cpradio

Notice she has single quotes for the title attribute, so her output (without htmlentities) would have been title='Sam's Sprial GIF'. So my point is, addslashes would have worked here too but it wouldn't take care of XSS attacks like htmlentities would.

Too many programming languages on the brain.

It can be easy to mix them up. In languages such as PHP and JavaScript, a backslash escapes special characters. But in HTML, the backslash has no special meaning at all.

User Tag List

Thread: Problem with Apostrophe

Thread Tools

Display

Problem with Apostrophe

Bookmarks

Bookmarks

Posting Permissions