php Question posted in
Official manual can be found here.

Php – htmlspecialchars() default flags

https://www.php.net/manual/en/function.htmlspecialchars.php

flags…
The default is ENT_QUOTES | ENT_SUBSTITUTE | ENT_HTML401.

But then below

When neither of ENT_COMPAT, ENT_QUOTES, ENT_NOQUOTES is present, the default is ENT_NOQUOTES.

And indeed if you don’t pass any flag all quotes are unascaped. This made me open to xss for a long time.

So, what does "The default is ENT_QUOTES | ENT_SUBSTITUTE | ENT_HTML401" mean, why does it say it is default?

Tags:

2

Answers


  1. Chosen as BEST ANSWER
    0

    found it:

    8.1.0 flags changed from ENT_COMPAT to ENT_QUOTES | ENT_SUBSTITUTE | ENT_HTML401.

    my version is below 8.1.0.

    I guess when I added code long ago I just missed those flags.


  2. 0

    The default value when passing no $flags parameter is

    ENT_QUOTES | ENT_SUBSTITUTE | ENT_HTML401

    The second part…

    When neither of ENT_COMPAT, ENT_QUOTES, ENT_NOQUOTES is present, the default is ENT_NOQUOTES

    is talking about what happens when you do pass a value but it contains neither ENT_COMPAT, ENT_QUOTES or ENT_NOQUOTES.

    For example, passing no $flags parameter

    $str = <<<_HTML
'single quotes'
"double quotes"
_HTML;

echo htmlspecialchars($str);

    produces

    &#039;single quotes&#039;
&quot;double quotes&quot;

    Whereas passing a $flags parameter that has no quote controlling values defaults the quotes handling to ENT_NOQUOTES

    htmlspecialchars($str, ENT_HTML5);

    'single quotes'
"double quotes"

    Demo ~ https://3v4l.org/hl2tk

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search