https://www.php.net/manual/en/function.htmlspecialchars.php
flags…
The default is ENT_QUOTES | ENT_SUBSTITUTE | ENT_HTML401.
But then below
When neither of ENT_COMPAT, ENT_QUOTES, ENT_NOQUOTES is present, the default is ENT_NOQUOTES.
And indeed if you don’t pass any flag all quotes are unascaped. This made me open to xss for a long time.
So, what does "The default is ENT_QUOTES | ENT_SUBSTITUTE | ENT_HTML401" mean, why does it say it is default?
2
Answers
found it:
my version is below 8.1.0.
I guess when I added code long ago I just missed those flags.
The default value when passing no
$flags
parameter isThe second part…
is talking about what happens when you do pass a value but it contains neither
ENT_COMPAT
,ENT_QUOTES
orENT_NOQUOTES
.For example, passing no
$flags
parameterproduces
Whereas passing a
$flags
parameter that has no quote controlling values defaults the quotes handling toENT_NOQUOTES
Demo ~ https://3v4l.org/hl2tk