Make user input safe for XML

Question

What is the best practice for generating valid XML with PHP from user submitted text, e.g. eCommerce sales data with ampersands, angle brackets, non-ascii accent characters, new lines etc etc.

What functions, libraries, regexes do folks rely on?

Answer 1

Wrap information in CDATA tags and encode data with htmlentities()

'<tag><![CDATA[' . htmlentities($theData) . ']]></tag>'

Or using DOM

$dom = new DOMDocument("1.0", "utf-8");

/* ... */

$dom->createCDATASection(htmlentities($theData));

Answer 2

If you want binary safeness, then you need to use an additional transport encoding. For example you can use base64 or uuencode to store the data in a binary safe fashion inside an XML chunk.