IE giving error on XML code embeded with PHP
Question
This code works fine on browsers other than IE.
echo "
<item>
<link>http://www.example.com/showrssdetails.php?id=".$row[recordid]."</link>
<guid isPermaLink=\"true\">http://www.example.com/showrssdetails.php.php?id=".$row[recordid]."</guid>
<title>".$row[company]."</title>
<description><! [CDATA[".$row[desiredcandidate]."]]></description>
<comments>http://www.example.com/showrssdetails.php.php?id=".$row[recordid]."#Comments</comments>
</item>";
IE gives error on line 6:
An invalid character was found in text content. Error processing resource ' http://example.com/job_listing_rssxml.php ...
2 answers
solution1
4 ACCPTED 2009-12-12 15:07:41
It should be
<![CDATA
not
<! [CDATA
it finds the '>' at the end there and doesn't like it.
You also need to change all '"', '<' and '>' inside your php code snippet to html entities. You should do it this way:
...
<![CDATA[".htmlspecialchars($row['desiredcandidate'])."]]>
...
And get it back out like this:
htmlspecialchars_decode($string)
solution2
2 2009-12-12 15:29:42
<title>".$row[company]."</title>
XML-injection if company can contain < or & . Use htmlspecialchars() to encode any text you append into markup. (It works just as well for XML as for HTML. htmlentities , on the other hand, wouldn't.)
<description><! [CDATA[".$row[desiredcandidate]."]]></description>
Stray space in the CDATA section, it should be <![CDATA[ ... ]]> . Note that ]]> is invalid on its own in text content.
Either way, CDATA sections aren't really helping you. It doesn't absolve you from the responsibilty of escaping your output: a string ]]> in the value would still break the well-formedness. CDATA sections are a hack for hand-authoring convenience, not generally something you'd put in machine-generated XML.
Given that you have to do some escaping anyway for this case, you are better off forgetting about CDATA and just doing it the normal way:
<description><?php echo htmlspecialchars($row['desiredcandidate']); ?></description>
(Or predefine a function with a short name like h() to do echo htmlspecialchars for you, to avoid so much typing.)
(Note: avoid using bare-word array indices . It's ambiguous, may fail in the future, and will generate NOTICEs.)
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.