just wondering... htmlspecialchars vs htmlentities

mijn naam escribió:

Can someone please explain to me why/when one would use htmlspecialchars
instead of htmlentities?

I know: if you only want to get certain characters translated. This is
not the answer I'm looking for, I would like to know *why* you would
want that, as opposed to a full translation.

htmlspecialchars allows you, per example to display HTML Code (not have
it interpreted by the browser).
Can be useful if you are coding a BBS and you want the BBCode tags to work, so that users can post examples.

htmlentities will replace everything it can.
Can be useful if your want to store accentued letters in a database that
does not support it (does that exists?), or to be really sure that all
of your users are going to see accentued letters, even without setting
correctly the charset you are using.

Well that's what I believe at least.
I may be wrong, and I'm sure their are better uses of htmlentities that
displaying correctly content with a badly setted charset

Romain Gilliotte escribió:

mijn naam escribió:

>Can someone please explain to me why/when one would use
htmlspecialchars instead of htmlentities?

I know: if you only want to get certain characters translated. This
is not the answer I'm looking for, I would like to know *why* you
would want that, as opposed to a full translation.

htmlspecialchars allows you, per example to display HTML Code (not have
it interpreted by the browser).
Can be useful if you are coding a BBS and you want the BBCode tags to work, so that users can post examples.

htmlentities will replace everything it can.
Can be useful if your want to store accentued letters in a database that
does not support it (does that exists?), or to be really sure that all
of your users are going to see accentued letters, even without setting
correctly the charset you are using.

Well that's what I believe at least.
I may be wrong, and I'm sure their are better uses of htmlentities that
displaying correctly content with a badly setted charset

I found this on php.net:

richard at aggmedia dot net
13-Mar-2008 04:32
From SR:

There's no sane reason to use htmlentities() instead
of htmlspecialchars(). As long as you specify the charset
of a page with a Content-Type meta in the head of a
page (which you should ALWAYS do in the first place),
escaping all characters is completely pointless and will
only grow the size of your page. Only the special HTML
characters (<, >, &, etc.) need to be escaped, which is
exactly what htmlspecialchars() does

This is inaccurate and unhelpful.

There are many cases where you would want to convert a UTF-8 (or other)
encoded string into appropriate HTML entity representations, as well as
being just good practice to use more compatable entities instead of
embedded character encodings.

One such example is when using JavaScript for string manipulation, which
doesn't support character sets and thus does not respect the UTF-8 BOM.
By converting to full entities, JavaScript works with the entity text
instead of byte codes.

So long as the developer understands what is happening with encoding and
how character sets work, they should make their own call on which
function they need to use.

..oO(mijn naam)

>Can someone please explain to me why/when one would use htmlspecialchars
instead of htmlentities?

htmlspecialchars() is _always_ required if you want to print arbitrary
textual data to an HTML page. Some characters have a special meaning in
HTML and have to be escaped if they appear in your text. It also helps
to prevent XSS (cross-site-scripting) attacks, if you're printing user-
submitted data.

htmlentities() is not really necessary anymore, because today every
system (server-side and client-side) should be capable of handling UTF-8
data. This means you don't have to use ugly character references like
&eacute; anymore, but can write all the chars you want directly, like é.

Micha

..oO(Romain Gilliotte)

>I found this on php.net:

richard at aggmedia dot net
13-Mar-2008 04:32
From SR:

There's no sane reason to use htmlentities() instead
of htmlspecialchars(). As long as you specify the charset
of a page with a Content-Type meta in the head of a
page (which you should ALWAYS do in the first place),
escaping all characters is completely pointless and will
only grow the size of your page. Only the special HTML
characters (<, >, &, etc.) need to be escaped, which is
exactly what htmlspecialchars() does

This is inaccurate and unhelpful.

There are many cases where you would want to convert a UTF-8 (or other)
encoded string into appropriate HTML entity representations

I can't think of any one.

>as well as
being just good practice to use more compatable entities instead of
embedded character encodings.

HTML is based on Unicode. Virtually every user agent supports UTF-8,
even NN 4 and search engine bots. And if one UA should have problems
with it, then it doesn't really matter anyway.

>One such example is when using JavaScript for string manipulation, which
doesn't support character sets and thus does not respect the UTF-8 BOM.

What kind of string manipulations? And why should JS have problems with
UTF-8 or Unicode in general?

>By converting to full entities, JavaScript works with the entity text
instead of byte codes.

Which might cause new problems, dependent on what you're trying to do
with the strings.

Micha

"Romain Gilliotte" <el****@gmail.comschreef in bericht
news:48***********************@news.free.fr...

So long as the developer understands what is happening with encoding and
how character sets work, they should make their own call on which function
they need to use.

Ack, thanks for your insight (all of it).

As I expected: it depends. A benefit of using htmlspecialchars would be
resource utilization.

The main reason would be taste. :-)

..oO(mijn naam)

>"Romain Gilliotte" <el****@gmail.comschreef in bericht
news:48***********************@news.free.fr...

>So long as the developer understands what is happening with encoding and
how character sets work, they should make their own call on which function
they need to use.

Ack, thanks for your insight (all of it).

As I expected: it depends. A benefit of using htmlspecialchars would be
resource utilization.

The main reason would be taste. :-)

The main reasons for htmlspecialchars() are security and reliability.

Micha

Michael Fesser wrote:

htmlentities() is not really necessary anymore, because today every
system (server-side and client-side) should be capable of handling UTF-8
data.

That's supossing you consider MSIE7 up to today's standards :-D

--
----------------------------------
Iván Sánchez Ortega -ivan-algarroba-sanchezortega-punto-es-

MSN:i_*************************@hotmail.com
Jabber:iv*********@jabber.org ; iv*********@kdetalk.net

..oO(Iván Sánchez Ortega)

>Michael Fesser wrote:

>htmlentities() is not really necessary anymore, because today every
system (server-side and client-side) should be capable of handling UTF-8
data.

That's supossing you consider MSIE7 up to today's standards :-D

Not really, but at least UTF-8 works there.

Micha