|
|
Posted by flamer die.spam@hotmail.com on 12/17/01 11:52
Taras_96 wrote:
> Hi all,
>
> I was hoping to get some clarification on a couple of questions I have:
>
> 1) When should htmlspecial characters be used? As a general rule should
> it be used for text that may contain special characters that is going
> to be rendered in the browser (ie: text that isn't in tags)? I've got a
> javascript onclick handler whose code includes an ampersand and the
> HTML validator complains. I don't know if I should escape the
> ampersand, or even if its possible (seeing that the text is inside a
> HTML attribute).
>
Well.. bascially your either saying show this image to the user
"copyrightsymbol" OR giving an instruction to the browser to display a
copyright symbol. I think the "dangerous" comment comes from the fact
that often MS will simply blank sometimes when they will display
correctly in *nix or when an undefined notation is used in a page is it
not known what the effect will be on some platforms or how it will be
displayed.
Flamer.
> Why would you ever use htmlentities as opposed to htmlspecialchars? The
> only reason I can think of is if you're page's charset doesn't support
> the special character you're trying to render (for example, the euro
> using Latin1), but then why wouldn't you just change the pages charset
> to UTF-8 (unless you're editor can't save in UTF-8, which might
> indicate its time to get another editor). The comment on the PHP manual
> entry for html entities, 'Please, don't use htmlentities to avoid XSS!
> Htmlspecialchars is enough!' seems to suggest that the uses for
> htmlentities is limited, since it needn't be used to avoid XSS.
>
> 2) A comment in the PHP manual entry for htmlentities states that their
> function can be used to 'replace any characters in a string that could
> be 'dangerous' to put in an HTML/XML file with their numeric entities
> (e.g. é for [e acute])'. Why would it be dangerous!?
>
> 3) What are some typical uses of specifying HTTP input/output character
> encoding? If it is used to convert output, why wouldn't you just change
> the output page's char encoding? If its used to convert input from say
> UTF-8 to Latin1, couldn't you just use a function to do this?
>
> That's about it!
>
> Thanks in advance
>
> Taras
Navigation:
[Reply to this message]
|