473,573 Members | 2,510 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

just wondering... htmlspecialchar s vs htmlentities

Can someone please explain to me why/when one would use htmlspecialchar s
instead of htmlentities?

I know: if you only want to get certain characters translated. This is not
the answer I'm looking for, I would like to know *why* you would want that,
as opposed to a full translation.

Sep 13 '08 #1
8 7898
mijn naam escribió:
Can someone please explain to me why/when one would use htmlspecialchar s
instead of htmlentities?

I know: if you only want to get certain characters translated. This is
not the answer I'm looking for, I would like to know *why* you would
want that, as opposed to a full translation.
htmlspecialchar s allows you, per example to display HTML Code (not have
it interpreted by the browser).
Can be useful if you are coding a BBS and you want the BBCode tags to work, so that users can post examples.

htmlentities will replace everything it can.
Can be useful if your want to store accentued letters in a database that
does not support it (does that exists?), or to be really sure that all
of your users are going to see accentued letters, even without setting
correctly the charset you are using.

Well that's what I believe at least.
I may be wrong, and I'm sure their are better uses of htmlentities that
displaying correctly content with a badly setted charset
Sep 13 '08 #2
Romain Gilliotte escribió:
mijn naam escribió:
>Can someone please explain to me why/when one would use
htmlspecialcha rs instead of htmlentities?

I know: if you only want to get certain characters translated. This
is not the answer I'm looking for, I would like to know *why* you
would want that, as opposed to a full translation.

htmlspecialchar s allows you, per example to display HTML Code (not have
it interpreted by the browser).
Can be useful if you are coding a BBS and you want the BBCode tags to work, so that users can post examples.

htmlentities will replace everything it can.
Can be useful if your want to store accentued letters in a database that
does not support it (does that exists?), or to be really sure that all
of your users are going to see accentued letters, even without setting
correctly the charset you are using.

Well that's what I believe at least.
I may be wrong, and I'm sure their are better uses of htmlentities that
displaying correctly content with a badly setted charset

I found this on php.net:

richard at aggmedia dot net
13-Mar-2008 04:32
From SR:
There's no sane reason to use htmlentities() instead
of htmlspecialchar s(). As long as you specify the charset
of a page with a Content-Type meta in the head of a
page (which you should ALWAYS do in the first place),
escaping all characters is completely pointless and will
only grow the size of your page. Only the special HTML
characters (<, >, &, etc.) need to be escaped, which is
exactly what htmlspecialchar s() does
This is inaccurate and unhelpful.

There are many cases where you would want to convert a UTF-8 (or other)
encoded string into appropriate HTML entity representations , as well as
being just good practice to use more compatable entities instead of
embedded character encodings.

One such example is when using JavaScript for string manipulation, which
doesn't support character sets and thus does not respect the UTF-8 BOM.
By converting to full entities, JavaScript works with the entity text
instead of byte codes.

So long as the developer understands what is happening with encoding and
how character sets work, they should make their own call on which
function they need to use.
Sep 13 '08 #3
..oO(mijn naam)
>Can someone please explain to me why/when one would use htmlspecialchar s
instead of htmlentities?
htmlspecialchar s() is _always_ required if you want to print arbitrary
textual data to an HTML page. Some characters have a special meaning in
HTML and have to be escaped if they appear in your text. It also helps
to prevent XSS (cross-site-scripting) attacks, if you're printing user-
submitted data.

htmlentities() is not really necessary anymore, because today every
system (server-side and client-side) should be capable of handling UTF-8
data. This means you don't have to use ugly character references like
&eacute; anymore, but can write all the chars you want directly, like é.

Micha
Sep 13 '08 #4
..oO(Romain Gilliotte)
>I found this on php.net:

richard at aggmedia dot net
13-Mar-2008 04:32
From SR:
There's no sane reason to use htmlentities() instead
of htmlspecialchar s(). As long as you specify the charset
of a page with a Content-Type meta in the head of a
page (which you should ALWAYS do in the first place),
escaping all characters is completely pointless and will
only grow the size of your page. Only the special HTML
characters (<, >, &, etc.) need to be escaped, which is
exactly what htmlspecialchar s() does

This is inaccurate and unhelpful.

There are many cases where you would want to convert a UTF-8 (or other)
encoded string into appropriate HTML entity representations
I can't think of any one.
>as well as
being just good practice to use more compatable entities instead of
embedded character encodings.
HTML is based on Unicode. Virtually every user agent supports UTF-8,
even NN 4 and search engine bots. And if one UA should have problems
with it, then it doesn't really matter anyway.
>One such example is when using JavaScript for string manipulation, which
doesn't support character sets and thus does not respect the UTF-8 BOM.
What kind of string manipulations? And why should JS have problems with
UTF-8 or Unicode in general?
>By converting to full entities, JavaScript works with the entity text
instead of byte codes.
Which might cause new problems, dependent on what you're trying to do
with the strings.

Micha
Sep 13 '08 #5
"Romain Gilliotte" <el****@gmail.c omschreef in bericht
news:48******** *************** @news.free.fr.. .
So long as the developer understands what is happening with encoding and
how character sets work, they should make their own call on which function
they need to use.
Ack, thanks for your insight (all of it).

As I expected: it depends. A benefit of using htmlspecialchar s would be
resource utilization.

The main reason would be taste. :-)
Sep 13 '08 #6
..oO(mijn naam)
>"Romain Gilliotte" <el****@gmail.c omschreef in bericht
news:48******* *************** *@news.free.fr. ..
>So long as the developer understands what is happening with encoding and
how character sets work, they should make their own call on which function
they need to use.

Ack, thanks for your insight (all of it).

As I expected: it depends. A benefit of using htmlspecialchar s would be
resource utilization.

The main reason would be taste. :-)
The main reasons for htmlspecialchar s() are security and reliability.

Micha
Sep 13 '08 #7
Michael Fesser wrote:
htmlentities() is not really necessary anymore, because today every
system (server-side and client-side) should be capable of handling UTF-8
data.
That's supossing you consider MSIE7 up to today's standards :-D

--
----------------------------------
Iván Sánchez Ortega -ivan-algarroba-sanchezortega-punto-es-

MSN:i_********* *************** *@hotmail.com
Jabber:iv****** ***@jabber.org ; iv*********@kde talk.net
Sep 13 '08 #8
..oO(Iván Sánchez Ortega)
>Michael Fesser wrote:
>htmlentities () is not really necessary anymore, because today every
system (server-side and client-side) should be capable of handling UTF-8
data.

That's supossing you consider MSIE7 up to today's standards :-D
Not really, but at least UTF-8 works there.

Micha
Sep 13 '08 #9

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

2
3691
by: tco | last post by:
Hi all, I'm searching a reverse function for htmlentities.... i couldn't find anything in the manual and over forums :-/ does anyone have an idea ? many thanks in advance, -- tco
3
2319
by: SoulSniper | last post by:
I'm working on a modification to a popular blog script, the modification is for putting source code into a post for the world to see. The idea is exactly the same as putting code into a post on a phpBB2 forum. When posting code it has to be between and . The text ends up in a nice looking table making for easy reading. The problem I have...
0
2051
by: lawrence | last post by:
Using the conversion to char sets described for these functions, is it possible to get a whole string into some charset? I'm trying to figure out a way to take invalid character sets from idiot users, and translate the string so that in the end I have a string that won't cause my XML to test invalid. html_entity_decode() htmlspecialchars()...
1
2261
by: brianj | last post by:
Running php 4.3.6 on winxp machine I have following code: ----------------------------------------------------------------------- Restaurants <select size='1' name='restaurants'> <? while ( $row = mysql_fetch_array($restaurant)){ $opt = "<option value = '" . $row . "'>" . $row . "</option>"; $opt = htmlspecialchars($opt, ENT_QUOTES);
0
1677
by: Gandalf | last post by:
Hi all! I'm writting a web application using IIS and Python. I would like to have the Python equvalient of the PHP functions 'htmlentities' and 'htmlspecialchars'. E.g. to convert a' >>>> aacute; õ >>>> otilde; and the others. I looked for them in many libraries (urllib, htmllib, urlparse etc.) but I could only find the...
2
1853
by: universalbitmapper | last post by:
Hi, $new = htmlspecialchars("<a href=", ENT_QUOTES, 'ISO-8859-15'); echo $new; displays: <a href Instead of :
3
4445
by: jl | last post by:
>From the php manual I copied and pasted this example: <?php $str = "A 'quote' is <b>bold</b>"; // Outputs: A 'quote' is &lt;b&gt;bold&lt;/b&gt; echo htmlentities($str); // Outputs: A 'quote' is &lt;b&gt;bold&lt;/b&gt; echo htmlentities($str, ENT_QUOTES);
2
2904
by: matthud | last post by:
<?php //MAKE IT SAFE $chunk = $_POST; $title = $_POST; $url = $_POST; $tags = $_POST; $user = $_POST; $safe_chunk = mysql_real_escape_string(htmlentities($chunk)); $safe_title = mysql_real_escape_string(htmlentities($title));
9
4328
nathj
by: nathj | last post by:
Hi, As you can tell by the subject of this post I'm having a spot of bother with htmlentities() and html_entity_decode(). I have built/am building a web site that allows user feedback. When the user enters their review of a resource it is stored in the database. It goes into a LONGTEXT field and what is entered is passed through...
0
7668
by: Hystou | last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it. First, let's disable language...
0
7983
Oralloy
by: Oralloy | last post by:
Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed. This is as boiled down as I can make it. ...
0
8179
jinu1996
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that...
1
7735
by: Hystou | last post by:
Overview: Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For...
0
8035
tracyyun
by: tracyyun | last post by:
Dear forum friends, With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the...
1
5556
isladogs
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules. He will explain when you may want to use classes...
0
3694
by: adsilva | last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
1
2166
by: 6302768590 | last post by:
Hai team i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
0
992
bsmnconsultancy
by: bsmnconsultancy | last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.