Encoding & Decoding text

FP wrote:

I have a javascript variable set to the contents of a database comments
field.
To set the js variable I used the PHP addslashes function which encodes
the apostrophe, double quotes and the backslash.

That isn't enough. The better way is to convert all suspicious
characters to (numeric or not) HTML entities in PHP, before it reaches
client script. I'ld say the PHP regex should at least affect < " &
and \.

PHP has pre-built constructions for this kind of things.

I need to use the variable contents 3 times;
- display on HTML page
- pre-populate a text area with it
- make it the body of an e-mail

Yes, those things know how to handle HTML entities (don't forget to set
your email's Content-Type to 'text/html' and its MIME-Version >= 1).

When I display the variable using document.write, things like "<b>"
turn the text to bold. To get around this problem I found the function
function htmlEncode(s){
return s.replace(/&(?!\w+([;\s]|$))/g, "&amp;").replace(/</g,
"&lt;").replace(/>/g, "&gt;");}

However, this function turns my original single and double quotes into
"&amp..."
My thought now is I need to convert the single & double quotes back to
their original characters, then run it through the above function.

Is there an easier way to do this?
If not, how do I convert the "&amp..." back to the real character
before passing it to the above function?

It should be done at PHP level; there's actually no need for javascript
trickery here.

--
Bart

Bart Van der Donck wrote:

FP wrote:

I have a javascript variable set to the contents of a database comments
field.
To set the js variable I used the PHP addslashes function which encodes
the apostrophe, double quotes and the backslash.

That isn't enough. The better way is to convert all suspicious
characters to (numeric or not) HTML entities in PHP, before it reaches
client script. I'ld say the PHP regex should at least affect < " &
and \.

I checked for a regex() function but couldn't find one. The closest
thing I found was the htmlspecialchars() function which converts the
characters you mentioned.

I need to use the variable contents 3 times;
- display on HTML page
- pre-populate a text area with it
- make it the body of an e-mail

Yes, those things know how to handle HTML entities (don't forget to set
your email's Content-Type to 'text/html' and its MIME-Version >= 1).

This is going to sound stupid but how do I do that. Is this part of an
href?
I'm using javascript code because that's the only way I know to make a
button in HTML the code I'm using is;

function Email(TheText){
document.location.href=("mailto:?body=" + TheText);
}

<TD>
<input type="button" onclick="Email('<? addslashes(PHP Result here)
?>')" value="E-mail"
</TD>

The PHP Results are the contents of a comment field.
When I click the e-mail button I want the comment in the body of my
e-mail, nothing else needs to be filled in.
If there's an ampersand in the comments then all data after the
ampersand is lost.
The PHP addslashes() function adds ampersands when converting
apostrophes.
I tried putting the "E-mail" button in a form and having the PHP result
as a hidden field hoping I didn't have to convert the apostrophe's in
that case but then the E-mail button didn't line up with the 2 buttons
before it so I gave up on that idea.

Obviously I'm going about this the wrong way, what's the right way?