just wondering... htmlspecialchars vs htmlentities

Can someone please explain to me why/when one would use htmlspecialchars
instead of htmlentities?

I know: if you only want to get certain characters translated. This is not
the answer I'm looking for, I would like to know *why* you would want that,
as opposed to a full translation.

re: just wondering... htmlspecialchars vs htmlentities

mijn naam escribió:htmlspecialchars allows you, per example to display HTML Code (not have
it interpreted by the browser).
Can be useful if you are coding a BBS and you want the BBCode tags to work, so that users can post examples.

htmlentities will replace everything it can.
Can be useful if your want to store accentued letters in a database that
does not support it (does that exists?), or to be really sure that all
of your users are going to see accentued letters, even without setting
correctly the charset you are using.

Well that's what I believe at least.
I may be wrong, and I'm sure their are better uses of htmlentities that
displaying correctly content with a badly setted charset

re: just wondering... htmlspecialchars vs htmlentities

Romain Gilliotte escribió:
I found this on php.net:

richard at aggmedia dot net
13-Mar-2008 04:32
From SR:
This is inaccurate and unhelpful.

There are many cases where you would want to convert a UTF-8 (or other)
encoded string into appropriate HTML entity representations, as well as
being just good practice to use more compatable entities instead of
embedded character encodings.

One such example is when using JavaScript for string manipulation, which
doesn't support character sets and thus does not respect the UTF-8 BOM.
By converting to full entities, JavaScript works with the entity text
instead of byte codes.

So long as the developer understands what is happening with encoding and
how character sets work, they should make their own call on which
function they need to use.

re: just wondering... htmlspecialchars vs htmlentities

..oO(mijn naam)
htmlspecialchars() is _always_ required if you want to print arbitrary
textual data to an HTML page. Some characters have a special meaning in
HTML and have to be escaped if they appear in your text. It also helps
to prevent XSS (cross-site-scripting) attacks, if you're printing user-
submitted data.

htmlentities() is not really necessary anymore, because today every
system (server-side and client-side) should be capable of handling UTF-8
data. This means you don't have to use ugly character references like
é anymore, but can write all the chars you want directly, like é.

Micha

re: just wondering... htmlspecialchars vs htmlentities

..oO(Romain Gilliotte)
I can't think of any one.
HTML is based on Unicode. Virtually every user agent supports UTF-8,
even NN 4 and search engine bots. And if one UA should have problems
with it, then it doesn't really matter anyway.
What kind of string manipulations? And why should JS have problems with
UTF-8 or Unicode in general?
Which might cause new problems, dependent on what you're trying to do
with the strings.

Micha

re: just wondering... htmlspecialchars vs htmlentities

"Romain Gilliotte" <eloims@gmail.comschreef in bericht
news:48cbd611$0$12665$426a74cc@news.free.fr...
Ack, thanks for your insight (all of it).

As I expected: it depends. A benefit of using htmlspecialchars would be
resource utilization.

The main reason would be taste. :-)

re: just wondering... htmlspecialchars vs htmlentities

..oO(mijn naam)
The main reasons for htmlspecialchars() are security and reliability.

Micha

re: just wondering... htmlspecialchars vs htmlentities

Michael Fesser wrote:That's supossing you consider MSIE7 up to today's standards :-D

--
----------------------------------
Iván Sánchez Ortega -ivan-algarroba-sanchezortega-punto-es-

MSN:i_eat_s_p_a_m_for_breakfast@hotmail.com
Jabber:ivansanchez@jabber.org ; ivansanchez@kdetalk.net

re: just wondering... htmlspecialchars vs htmlentities

..oO(Iván Sánchez Ortega)
Not really, but at least UTF-8 works there.

Micha