I am responding to an AJAX call by sending it an XML document through PHP echos. In order to form this XML document, I loop through the records of a database. The problem is that the database includes records that have '<' symbols in them. So naturally, the browser throws an error at that particular spot. How can this be fixed?
However, XML documents have many security vulnerabilities that can be targeted for different types of attacks, such as file retrieval, server side request forgery, port scanning, or brute force attacks."
Note: A string is a simple resource that is referenced using the value provided in the name attribute (not the name of the XML file). So, you can combine string resources with other simple resources in the one XML file, under one <resources> element. file location: res/values/filename.xml. The filename is arbitrary.
Since PHP 5.4 you can use:
htmlspecialchars($string, ENT_XML1);
You should specify the encoding, such as:
htmlspecialchars($string, ENT_XML1, 'UTF-8');
Note that the above will only convert:
&
to &
<
to <
>
to >
If you want to escape text for use in an attribute enclosed in double quotes:
htmlspecialchars($string, ENT_XML1 | ENT_COMPAT, 'UTF-8');
will convert "
to "
in addition to &
, <
and >
.
And if your attributes are enclosed in single quotes:
htmlspecialchars($string, ENT_XML1 | ENT_QUOTES, 'UTF-8');
will convert '
to '
in addition to &
, <
, >
and "
.
(Of course you can use this even outside of attributes).
See the manual entry for htmlspecialchars.
By either escaping those characters with htmlspecialchars
, or, perhaps more appropriately, using a library for building XML documents, such as DOMDocument or XMLWriter.
Another alternative would be to use CDATA sections, but then you'd have to look out for occurrences of ]]>
.
Take also into consideration that that you must respect the encoding you define for the XML document (by default UTF-8).
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With