skip to Main Content

https://www.php.net/manual/en/function.htmlspecialchars.php

flags…
The default is ENT_QUOTES | ENT_SUBSTITUTE | ENT_HTML401.

But then below

When neither of ENT_COMPAT, ENT_QUOTES, ENT_NOQUOTES is present, the default is ENT_NOQUOTES.

And indeed if you don’t pass any flag all quotes are unascaped. This made me open to xss for a long time.

So, what does "The default is ENT_QUOTES | ENT_SUBSTITUTE | ENT_HTML401" mean, why does it say it is default?

2

Answers


  1. Chosen as BEST ANSWER

    found it:

    8.1.0 flags changed from ENT_COMPAT to ENT_QUOTES | ENT_SUBSTITUTE | ENT_HTML401.

    my version is below 8.1.0.

    I guess when I added code long ago I just missed those flags.


  2. The default value when passing no $flags parameter is

    ENT_QUOTES | ENT_SUBSTITUTE | ENT_HTML401
    

    The second part…

    When neither of ENT_COMPAT, ENT_QUOTES, ENT_NOQUOTES is present, the default is ENT_NOQUOTES

    is talking about what happens when you do pass a value but it contains neither ENT_COMPAT, ENT_QUOTES or ENT_NOQUOTES.

    For example, passing no $flags parameter

    $str = <<<_HTML
    'single quotes'
    "double quotes"
    _HTML;
    
    echo htmlspecialchars($str);
    

    produces

    &#039;single quotes&#039;
    &quot;double quotes&quot;
    

    Whereas passing a $flags parameter that has no quote controlling values defaults the quotes handling to ENT_NOQUOTES

    htmlspecialchars($str, ENT_HTML5);
    
    'single quotes'
    "double quotes"
    

    Demo ~ https://3v4l.org/hl2tk

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search