Discussion: Why doesn't the htmlspecialchars function convert single quotes to entities by default?
In the previous quiz, Online PHP Quiz, we tested our experience gained from the course.
Member
7 messages from 7 displayed.
//= Settings::TRACKING_CODE_B ?> //= Settings::TRACKING_CODE ?>
In the previous quiz, Online PHP Quiz, we tested our experience gained from the course.
I believe it's not default because of backward compatibility, maybe they just didn't realize it's necessary and they can't change it now. The best solution is to create some custom function for it which would call htmlspecialchars() with appropriate parameters.
I'd like to mention some cases when it's really wise to escape single quotes since they can lead to some kinds of XSS. Consider this example:
<button onclick="alert('<?= htmlspecialchars($value) ?>');" />
If there was an apostrophe in the $value, it could lead to the JavaScript injection if used htmlspecialchars() in the default configuration.
Discover the ideal Women Bags at affordable prices. Pick from a large assortment of fashionable and useful bags to complete your look and hold all of your necessities. Shop now!
Introducing Ammara Khan's new kurti design, where tradition meets modernity! Explore our newest collection featuring timeless elegance and contemporary flair. Elevate your style with our versatile pieces designed to make a statement. Discover your perfect kurti today!
Explore the latest men shoes sale at Servis. Find great deals on a wide variety of fashionable and comfortable shoes for every occasion.
With a focus on excellence, Shalamar Hospital delivers high-quality surgical services as a top surgical hospital in Lahore, catering to diverse medical needs
7 messages from 7 displayed.