|
|
Posted by Jon on 11/02/05 21:27
Ok, I found the issue - It's a classic 'I'm an idiot' moment - I actually
had some whitespace between the end of my PHP code, and the begining of the
</textarea> tag... Feel free to point and laugh :p Also, I use the ';' at
the end out of habit - probably a C++ thing that won't go away... it seems
to work the same regardless if it is placed in the <?= ?> tags or not, so
I've stuck with it.
I do have some follow up questions regarding your other info though. If I
use htmlspecialchars(), does it not then convert all of the HTML tags
someone enters into non-useable tags by convering them to the > symbols?
My understanding is going by the PHP manual:
<?php
$new = htmlspecialchars("<a href='test'>Test</a>", ENT_QUOTES);
echo $new; // <a href='test'>Test</a>
?>
This would seemingly cause me problems as users are entering HTML and will
need the HTML characters to remain intact as they go to the DB, as we're
simply echoing the value of the TEXT field holding all HTML to the browser.
I know that I need to addslashes and stripslashes to escape characters that
I'll need to make HTML work, but am not quite sure of the application of
htmlspecialchars() in this case. Thanks again for any info.
"Hilarion" <hilarion@SPAM.op.SMIECI.pl> wrote in message
news:dkavk9$iq2$1@news.onet.pl...
>> <textarea name="tBody" cols="55" rows="20"><?=
>> $rowGetContent['pContentBody'];?></textarea>
>
> There should be no semicolon ";", but in general this method should not
> produce any additional whitespace. Have you looked at the HTML source
> which is generated this way? Does it contain those extra spaces?
> If no, then it's a browser issue.
>
>
>> Won't htmlspecialchars turn whitespace into &npbs;'s?
>
> Nope. It only changes "less than", "greater than", "double quote" and
> "ampersand". You may also force "htmlspecialchars" to affect single
> quote (useful when you use this char to quote attribute values) or turn
> off changing double quotes using second (optional) parameter as
> described in the PHP manual.
> If you quote all your attribute values qith double quote signs, then
> you can use "htmlspecialchars" without any additional parameters
> to escape HTML for attribute values and tag contents (eg. <textarea>,
> <code>) or any other place you want the text to be show "as is" and
> not get interpreted as HTML.
>
>
>> I was worried about this, because we're basically going to do some basic
>> training on HTML with all of our customers using this system, and we
>> don't want them to be able to accidentally start adding lots of
>> whitespace that they may not have wanted.
>
> If you are using <textarea> as HTML source editor then you HAVE to
> use some HTML-escaping function. In my opinion "htmlspecialchars" is the
> best choice in this case.
>
>
> You probably were thinking about "htmlentities" function which
> does much more changing, but still does not affect normal space
> characters.
>
>
> Hilarion
>
> PS.: I said you can use "htmlspecialchars" to escape attribute values.
> I should have said that you SHOULD escape ALL attribute values
> which can contain any HTML special char, which includes ALL
> data given by user or got from text fields of any database.
> You should also check every place where user or database data
> is passed to output and decide if it should be interpreted as
> HTML or not (in the second case you should also use the function).
Navigation:
[Reply to this message]
|