when using htmlspecialchars to escape double-quotes, why is ENT_QUOTES required when using ENT_SUBSTITUTE?
Question
I noticed the following behavior when working with htmlspecialchars in php version 7.0.3:
php > echo htmlspecialchars('"');
"
php > echo htmlspecialchars('"', ENT_SUBSTITUTE);
"
php > echo htmlspecialchars('"', ENT_QUOTES | ENT_SUBSTITUTE);
"
We would like to escape double-quotes while also using the ENT_SUBSTITUTE flag. Notice that the double-quote does not get escaped when using only the ENT_SUBSTITUTE flag.
Is the ENT_QUOTES flag required with ENT_SUBSTITUTE if we want to escape double quotes? Why is this?
The documentation for htmlspecialchars does not say that ENT_QUOTES is required when using ENT_SUBSTITUTE . In fact, it seems to suggest the opposite – double-quotes should always get escaped unless the ENT_NOQUOTES flag is present.
2 answers
solution1
2 2018-07-19 14:35:05
When you explicitly pass flags to htmlspecialchars , you replace the default flags .
htmlspecialchars($data) is equivalent to htmlspecialchars($data, ENT_COMPAT | ENT_HTML401)
htmlspecialchars($data, ENT_SUBSTITUTE) discards the rules from ENT_COMPAT and ENT_HTML401 to just use the rules from ENT_SUBSTITUTE .
(And ENT_COMPAT causes double quotes to be converted).
solution2
2 ACCPTED 2018-07-19 14:35:12
ENT_COMPAT | ENT_HTML401 ENT_COMPAT | ENT_HTML401 is the default value for the $flags parameter. When you pass ENT_SUBSTITUTE instead , you're overriding the default. It is now not applying ENT_COMPAT anymore, which is responsible for the quotes. If you want to add ENT_SUBSTITUTE to the default parameters, you should correctly write:
htmlspecialchars('"', ENT_COMPAT | ENT_HTML401 | ENT_SUBSTITUTE)
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.