I noticed the following behavior when working with htmlspecialchars
in php version 7.0.3:
php > echo htmlspecialchars('"');
"
php > echo htmlspecialchars('"', ENT_SUBSTITUTE);
"
php > echo htmlspecialchars('"', ENT_QUOTES | ENT_SUBSTITUTE);
"
We would like to escape double-quotes while also using the ENT_SUBSTITUTE
flag. Notice that the double-quote does not get escaped when using only the ENT_SUBSTITUTE
flag.
Is the ENT_QUOTES
flag required with ENT_SUBSTITUTE
if we want to escape double quotes? Why is this?
The documentation for htmlspecialchars does not say that ENT_QUOTES
is required when using ENT_SUBSTITUTE
. In fact, it seems to suggest the opposite – double-quotes should always get escaped unless the ENT_NOQUOTES
flag is present.
When you explicitly pass flags to htmlspecialchars
, you replace the default flags .
htmlspecialchars($data)
is equivalent to htmlspecialchars($data, ENT_COMPAT | ENT_HTML401)
htmlspecialchars($data, ENT_SUBSTITUTE)
discards the rules from ENT_COMPAT
and ENT_HTML401
to just use the rules from ENT_SUBSTITUTE
.
(And ENT_COMPAT
causes double quotes to be converted).
ENT_COMPAT | ENT_HTML401
ENT_COMPAT | ENT_HTML401
is the default value for the $flags
parameter. When you pass ENT_SUBSTITUTE
instead , you're overriding the default. It is now not applying ENT_COMPAT
anymore, which is responsible for the quotes. If you want to add ENT_SUBSTITUTE
to the default parameters, you should correctly write:
htmlspecialchars('"', ENT_COMPAT | ENT_HTML401 | ENT_SUBSTITUTE)
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.