Problems with str_replace() with some html characters

I cannot change html content to its characters:

$text= "This is a quote "here" there you have";

$text = str_replace(""","\"",$text);
$text = str_replace("&lt;","<",$text);
$text = str_replace("&gt;",">",$text);

But no change is made.

Seems to work fine for me…

The text is receive from database, could be that the problem?

Not sure. If the text is exactly what is shown, even from the database, it should work. When you get the text from the database, write it out, so you can verify it matches your expectations.

I was using an example but not a real one, but this one it is. This is the text I get from the database:


&lt;div onclick=&quot;alert('código inyectado');&quot;&gt;Texto&lt;/div&gt;


Y aquí una URL: [url][/url]

Bueno pues vamos [b]a ver si esto funciona[/b] porque &quot;todavía&quot; no lo sé [i][u]bien[/u][/i]

And this is what it is shown:

And what is the exact code being used to create that output? I know you provided the psuedo code, which works, but are you absolutely sure you are using the variable/output returned by str_replace in your output?

Let me explain the process:

//I get the database data:
$texto_mostrar = evitamos_script($hilo_asunto[0]['texto_sin_etiquetas']); //EVITAMOS SCRIPTS

//modify the [img], [url]...tags to real HTML
$texto_mostrar = a_html($texto_mostrar);

//modify html special characters like the ones I´m having problems with
$texto_mostrar = para_vista_previa($texto_mostrar);

//this is where I show the output
 echo "<div class='contenido_post'>" . a_emoji(nl2br($texto_mostrar)) . "<script async src='//' charset='utf-8'></script></div>";

The emoji() function is just to use emoticons on the text. Here are the functions code I´m using:

function para_vista_previa($texto_a_modificiar){
    $texto_a_modificiar = str_replace("[b]","<b>",$texto_a_modificiar);
    $texto_a_modificiar = str_replace("[/b]","</b>",$texto_a_modificiar);
    $texto_a_modificiar = str_replace("[i]","<i>",$texto_a_modificiar);
    $texto_a_modificiar = str_replace("[/i]","</i>",$texto_a_modificiar);
    $texto_a_modificiar = str_replace("[u]","<u>",$texto_a_modificiar);
    $texto_a_modificiar = str_replace("[/u]","</u>",$texto_a_modificiar);
    $texto_a_modificiar = str_replace("[quote]","<blockquote class='quote_mencion'>",$texto_a_modificiar);
    $texto_a_modificiar = str_replace("[/quote]","</blockquote>",$texto_a_modificiar);
    $texto_a_modificiar = str_replace("[img","<img",$texto_a_modificiar);
    $texto_a_modificiar = str_replace("[center]","<center>",$texto_a_modificiar);
    $texto_a_modificiar = str_replace("[/center]","</center>",$texto_a_modificiar);
    $texto_a_modificiar = str_replace("[a class=\"mencion\"","<a class=\"mencion\"",$texto_a_modificiar);
    $texto_a_modificiar = str_replace("rel=\"nofollow\"]","rel=\"nofollow\">",$texto_a_modificiar);
    $texto_a_modificiar = str_replace("[/a]","</a>",$texto_a_modificiar);
    $texto_a_modificiar = str_replace("[a class=\"enlace_foro\"","<i class=\"fa fa-link fa-fw\"></i><a class=\"enlace_foro\"",$texto_a_modificiar);
    $texto_a_modificiar = str_replace("[cite]","<cite>",$texto_a_modificiar);
    $texto_a_modificiar = str_replace("[/cite]","</cite>",$texto_a_modificiar);
    $texto_a_modificiar = str_replace("[code]","<code>",$texto_a_modificiar);
    $texto_a_modificiar = str_replace("[/code]","</code>",$texto_a_modificiar);
    $texto_a_modificiar = str_replace("[div]","<div>",$texto_a_modificiar);
    $texto_a_modificiar = str_replace("[/div]","</div>",$texto_a_modificiar);
    $texto_a_modificiar = str_replace("]",">",$texto_a_modificiar);
    $texto_a_modificiar = str_replace("&quot;","\"",$texto_a_modificiar); //para comillas
    $texto_a_modificiar = str_replace("&lt;","<",$texto_a_modificiar); // para <
    $texto_a_modificiar = str_replace("&gt;",">",$texto_a_modificiar); // para >

    return $texto_a_modificiar;

function evitamos_script($texto) {

    $limpia = strip_tags($texto, '<b> <i> <u> <quote> <img> <center> <code> <cite> <div> <a> <blockquote> <iframe> <video> <embed>'); //EVITAMOS SCRIPTS
    $limpia = htmlspecialchars($limpia);

    return $limpia;

Okay, I see what is going on now.

You already have an encoded string from the database, in that, it is already using &quot; for quotes (at the very least). Then you are calling htmlspecialchars on it as part of evitamos_script, which is encoding it a second time to change &quot; into &amp;quot;

Here is a snippet showing the problem:

Then later on you are only replacing &quot; with ", but what your string really has is &amp;quot;

So you have a few options here.

  1. If your string truly is already encoded when stored in the database, remove the htmlspecialchars from evitamos_script

  2. Utilize htmlspecialchars_decode

  3. Update your str_replace to take into account the double encoding

  4. Stop applying htmlspecialchars when storing your content in your database and only use it when outputting the data (no code changes needed to this portion, your code changes would be on your insert/update logic and you’d have to run a maintenance on existing data stored).
1 Like

Thanks for your help!

I finaly solve the problem changing this line:

$limpia = htmlspecialchars($limpia, ENT_QUOTES, 'UTF-8', false);

1 Like

This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.