Menu
I'd like to know if its really necessary escape my string with htmlentities($str, ENT_QUOTES, "UTF-8") before print on an html textarea.
Or automatically this one escape for me the characters?
429
Yes, it is necessary.
Otherwise, a </textarea> in the input data would mess up your markup.
<textarea> <--------------------------- Your tag
</textarea> <------------------------ User input
<script>alert("Hello!");</script> <-- User input, XSS injection
</textarea> <-------------------------- Your tag
The textarea element is defined as containing PCDATA, so tags are not allowed inside it and entities are still decoded.
Browsers will perform error correction, but error correction is a poor substitute for not having errors in the first place.
Some errors will not be corrected (because they aren't syntax errors), such as when you want the data to be < or </textarea>.
Even if you decide that some errors are acceptable to you, then when you use a validator to perform basic QA, you will be generating noise that might obscure errors you care about.
So in short, yes, it is necessary to escape characters with special meaning. However, so long as you get your character encoding straight, htmlspecialchars is sufficient.
40
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
