stackoom
  简体   繁体   中英

Why does filter_var() encode quotes differently than htmlentities()?

 原文  2019-04-10 07:20:32       php/ encoding/ html-entities/ sanitization/ filter-var

Question

Why does filter_var()'s FILTER_SANITIZE_STRING filter encode single quotes as ' and double quotes as " while htmlentities() encodes single quotes as ' and double quotes as " ?

Code Sample:

<?php
$string = "Well that's \"different.\"";

echo "filter_var: ".filter_var($string, FILTER_SANITIZE_STRING)."\n";
echo "htmlentities: ".htmlentities($string, ENT_QUOTES)."\n";
echo "htmlspecialchars: ".htmlspecialchars($string, ENT_QUOTES)."\n";

Output:

filter_var: Well that&#39;s &#34;different.&#34; 
htmlentities: Well that&#039;s &quot;different.&quot; 
htmlspecialchars: Well that&#039;s &quot;different.&quot;

1 answers

solution1
 0  2021-09-26 16:34:29

It's because filter extension has nothing to do with HTML processing. It doesn't use HTML entity conversion table. It is just a stupid encoding based on the ASCII value.

  • " is 34 in ASCII
  • ' is 39 in ASCII

The same applies for any other character that the filter extension converts to HTML encoded form. It takes the ASCII numerical value in decimal, prepends &# and appends ; . That's it! It's simple and efficient, even if it's not very correct.

No offence to anyone, but using this extension for anything HTML related is a rather dumb idea. The constant FILTER_SANITIZE_STRING is deprecated now and it will be removed in future versions of PHP. There exists a filter FILTER_SANITIZE_FULL_SPECIAL_CHARS which is just a wrapper around htmlspecialchars() , but I can't think of any reason to use this over the simple htmlspecialchars() function.

Some of these filters are a remainder from the era of lazy PHP. Developers used lazy approaches to security like magic quotes, which didn't provide enough security and often lead to more mess. These HTML filters were created with the same lazy approach in mind. It's better to provide something than nothing to mitigate XSS. However, this is definitely not the recommended practice anymore. Please format the output correctly using the appropriate functions to avoid XSS rather than relying on filters for sanitization.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Is it good to use filter_var with htmlentities in PHP? URL filtering in php, filter_var or htmlentities filter_var vs htmlentities vs htmlspecialchars filter_var behaves differently on different servers Why does PHP filter_var say that this is a valid email address? Why does filter_var() do not accept 0 as boolean? php filter_var FILTER_FLAG_ENCODE_HIGH Why does filter_var($email, FILTER_VALIDATE_EMAIL) allow test@test? filter_var for password Does chaining filter_input() and filter_var() cause the problem?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM