A quick question on htmlspecialchars

Divisive_Cotton · October 25, 2011, 8:21am

If filter input and escape output is the correct approach then using htmlspecialchars like below is the correct way, yes?

$body = "Body text";

$body = htmlspecialchars($body, ENT_QUOTES, 'UTF-8');

return $body;

But say for instance the body text has a html link within it then the will be converted to this:

<a href="http://www.appmobi.com/?q=node/66">AppMobi App School</a>

Which means that instead of displaying a clickable link the html page displays the code like so:

<a href="http://www.appmobi.com/?q=node/66">AppMobi App School</a>

ahundiak · October 25, 2011, 2:02pm

You don’t use htmlspecialchars on a complete page. Instead, you need to selectively apply it to content areas. In your example:


<a href="http://www.appmobi.com/?q=node/66">
  <?php echo htmlspecialchars('AppMobi App School'); ?>
</a>

That protects you against the possibility that a school’s name might include <>&’