html_entity_decode
Had a heck of a time to get my rss entities right. using htmlentities didn't work and using html_entity_decode didn't work either. Ended up writing a custom function to encode and decode. It might still need some work but I thought to share it because I couldn't find anything on the net. Always open for suggestions to improve it! Here it is:
<?php
$entity_custom_from = false;
$entity_custom_to = false;
function html_entity_decode_encode_rss($data) {
global $entity_custom_from, $entity_custom_to;
if(!is_array($entity_custom_from) || !is_array($entity_custom_to)){
$array_position = 0;
foreach (get_html_translation_table(HTML_ENTITIES) as $key => $value) {
//print("<br />key: $key, value: $value <br />\n");
switch ($value) {
// These ones we can skip
case ' ':
break;
case '>':
case '<':
case '"':
case ''':
case '&':
$entity_custom_from[$array_position] = $key;
$entity_custom_to[$array_position] = $value;
$array_position++;
break;
default:
$entity_custom_from[$array_position] = $value;
$entity_custom_to[$array_position] = $key;
$array_position++;
}
}
}
return str_replace($entity_custom_from, $entity_custom_to, $data);
}
?>
htmlentities
(PHP 4, PHP 5)
htmlentities — 適用可能な文字を全て HTML エンティティに変換する
説明
string htmlentities
( string $string
[, int $quote_style
[, string $charset
[, bool $double_encode
]]] )
この関数はhtmlspecialchars()と同じですが、 HTML エンティティと等価な意味を有する文字をHTMLエンティティに変換します。
もしデコード (逆の処理) をしたい場合、 html_entity_decode() を使用することができます。
パラメータ
- string
-
入力文字列。
- quote_style
-
htmlspecialchars() と同様に、シングルまたは ダブルクオートに関する動作を示すオプションの第2の引数をとります。 これは 3 つの定数のうちの一つとなり、 デフォルトは ENT_COMPAT です。
利用可能な quote_style 定数 定数名 説明 ENT_COMPAT ダブルクオートのみを変換し、 シングルクオートをそのままにします ENT_QUOTES ダブルおよびシングルクオートを共に変換します ENT_NOQUOTES ダブルクオートおよびシングルクオートを共に変換しません - charset
-
htmlspecialchars()と同様に、この関数はオプションの3番目の引数 charset をとり、変換に使用される文字セットを指定可能です。 現在のところ、ISO-8859-1 文字セットがデフォルトの文字エンコーディングとして使用されます。
PHP 4.3.0 以降では、以下の文字セットをサポートします。
サポートする文字セット 文字セット エイリアス 説明 ISO-8859-1 ISO8859-1 西欧、Latin-1 ISO-8859-15 ISO8859-15 西欧、Latin-9 。Latin-1(ISO-8859-1) に欠けている ユーロ記号やフランス・フィンランドの文字を追加したもの。 UTF-8 ASCII 互換のマルチバイト 8 ビット Unicode 。 cp866 ibm866, 866 DOS 固有のキリル文字セット。 4.3.2 以降でサポートされます。 cp1251 Windows-1251, win-1251, 1251 Windows 固有のキリル文字セット。 4.3.2 以降でサポートされます。 cp1252 Windows-1252, 1252 西欧のための Windows 固有の文字セット。 KOI8-R koi8-ru, koi8r ロシア語。4.3.2 以降でサポートされます。 BIG5 950 繁体字中国語。主に台湾で使用されます。 GB2312 936 簡体字中国語。国の標準文字セットです。 BIG5-HKSCS Big5 に香港の拡張を含めたもの。繁体字中国語。 Shift_JIS SJIS, 932 日本語。 EUC-JP EUCJP 日本語。 注意: これら以外の文字セットは理解できず、かわりに ISO-8859-1 を使用します。
- double_encode
-
double_encode をオフにすると、PHP は既存の html エンティティをエンコードしません。 デフォルトでは、既存のエンティティも含めてすべてを変換します。
返り値
エンコードした文字列を返します。
変更履歴
| バージョン | 説明 |
|---|---|
| 5.2.3 | double_encode パラメータが追加されました。 |
| 4.1.0 | charset パラメータが追加されました。 |
| 4.0.3 | quote_style パラメータが追加されました。 |
例
例1 htmlentities() の例
<?php
$str = "A 'quote' is <b>bold</b>";
// 出力: A 'quote' is <b>bold</b>
echo htmlentities($str);
// 出力: A 'quote' is <b>bold</b>
echo htmlentities($str, ENT_QUOTES);
?>
参考
- html_entity_decode() - HTML エンティティを適切な文字に変換する
- get_html_translation_table() - htmlspecialchars および htmlentities で使用される変換テーブルを返す
- htmlspecialchars() - 特殊文字を HTML エンティティに変換する
- nl2br() - 改行文字の前に HTML の改行タグを挿入する
- urlencode() - 文字列を URL エンコードする
add a note
User Contributed Noteshtmlentities
gunter [dot] sammet [at] gmail [dot] com
13-Jan-2009 08:48
13-Jan-2009 08:48
Tom Walter
17-Oct-2008 05:14
17-Oct-2008 05:14
Note that as of 5.2.5 it appears that if the input string contains a character that is not valid for the output encoding you've specified, then this function returns null.
You might expect it to just strip the invalid char, but it doesn't.
You can strip the chars yourself like so:
iconv('utf-8','utf-8',$str);
You can combine that with htmlentities also:
$str = htmlentities(iconv('UTF-8', 'UTF-8//IGNORE', $str, ENT_QUOTES, 'UTF-8');
Should give you a string with htmlentities encoded to utf-8, and any unsupported chars stripped.
Kenneth Kin Lum
23-Sep-2008 02:47
23-Sep-2008 02:47
use htmlspecialchars() if you are passing in a usual ASCII string. It is faster than htmlentities().
For example, if you are just doing
htmlentities('<div style="background: #fff"></div>');
then you can just use htmlspecialchars(). htmlentities() will look for all possible ways to convert string into html entities, such as © or é (which is e with an acute accent on top).
Note that ASCII is just 7 bit, which is 0x00 to 0x7F. htmlspecialchars() will handle characters inside this range already. htmlentities() is for the 8-bit Latin-1 (ISO-8859-1) to handle European characters, or for UTF-8 when the 3rd argument is "UTF-8" to handle UTF-8 characters, or other types of encodings using different values for the 3rd argument passed into htmlentities().
anotheruser at example dot com
07-Sep-2008 11:33
07-Sep-2008 11:33
Followup to anotheruser at example dot com
02-Aug-2008 02:12
There's a couple of parts in the code which make the post eligible for deletion.
The foreach loop can be replaced by array_walk. As halocastle at yahoo dot com mentioned, the key names passed by the user in post/get are suspect as well, but weren't handled in the example. Altering post/get arrays directly is bad form. The example should be used under very specific situations contrary to what I had originally suggested. Also, I'd agree with kjarli at gmail dot com that there are probably better alternatives to htmlentities for scrubbing data for db storage.
The function as edited by the moderators is broken. It has no return value or doesn't set the value passed by reference. Passing $txtArray by reference doesn't make sense when used like "$array = htmlizeArray($array);" and it destroys $array as is. Htmlize_text is not a callable function since it was renamed to htmlizeArray in the example.
So, Mods - please delete this side thread.
kjarli at gmail dot com
03-Sep-2008 03:20
03-Sep-2008 03:20
@anotheruser at example dot com
Your post is pointless. You never use htmlentities on data recieved from the user. You might only escape it when you insert it in the database user real_escape_string. Only when you display it, you change it in the template.
anotheruser at example dot com
02-Aug-2008 11:12
02-Aug-2008 11:12
This looping function below is useful to disable html in user generated content (message board posts, webpage-based chat clients, etc). And, so far, it's worked fine alone for sanitizing user input for database storage. "htmlize_text" here preserves keys and works on recursive arrays.
<?php
$_GET = htmlize_text($_GET);
$_POST = htmlize_text($_POST);
function htmlizeArray(&$txtArray) {
if (is_array($txtArray)) {
foreach ($txtArray as $key => $val) {
htmlizeArray($val);
}
}
else {
htmlentities($txtArray);
}
}
?>
snevi at im dot com dot ve
22-Jul-2008 04:10
22-Jul-2008 04:10
correction to my previous post and improvement of the function: (the post was changed by the html parser and the characters displays as they should not)
<?php
function XMLEntities($string)
{
$string = preg_replace('/[^\x09\x0A\x0D\x20-\x7F]/e', '_privateXMLEntities("$0")', $string);
return $string;
}
function _privateXMLEntities($num)
{
$chars = array(
128 => '€',
130 => '‚',
131 => 'ƒ',
132 => '„',
133 => '…',
134 => '†',
135 => '‡',
136 => 'ˆ',
137 => '‰',
138 => 'Š',
139 => '‹',
140 => 'Œ',
142 => 'Ž',
145 => '‘',
146 => '’',
147 => '“',
148 => '”',
149 => '•',
150 => '–',
151 => '—',
152 => '˜',
153 => '™',
154 => 'š',
155 => '›',
156 => 'œ',
158 => 'ž',
159 => 'Ÿ');
$num = ord($num);
return (($num > 127 && $num < 160) ? $chars[$num] : "&#".$num.";" );
}
?>
in the previous post, to correct the HEX values that are not rendered, the program use a for each cicle, but that introduces a mayor complexity in execution time, so, we use the ability to call functions in the preg_replace second parameter, and ceate another funcion that evaluates the ord of the character given, and if it is between 127 and 160 it returns the modified HEX value to be understood by the browser and not brake the XML
(this work with dynamic XML generated form php with dynamic data from any source)
p.d: the '&'(&) should appear in this post as a single ampersand character and not as the html entity
keenskelly at gmail dot com
09-Jul-2008 08:00
09-Jul-2008 08:00
Correction to my previous post: the set of ENTITY declarations must be inside a <!DOCTYPE element; also is NOT pre-defined in XML and must be left in the entity list. I also extended the list with the windows 1252 character set using a sample function borrowed from php.net user comments and extended with euro entity which we need for our app. Here is the final code that is in our production app:
<?php
// Generate a list of entity declarations from the HTML_ENTITIES set that PHP knows about to dump into the document
function htmlentities_entities() {
$output = "<!DOCTYPE html [\n";
foreach (get_html_translation_table_CP1252(HTML_ENTITIES) as $value) {
$name = substr($value, 1, strlen($value) - 2);
switch ($name) {
// These ones we can skip because they're built into XML
case 'gt':
case 'lt':
case 'quot':
case 'apos':
case 'amp': break;
default: $output .= "<!ENTITY {$name} \"&{$name};\">\n";
}
}
$output .= "]>\n";
return($output);
}
// ref: http://php.net/manual/en/function.get-html-translation-table.php#76564
function get_html_translation_table_CP1252($type) {
$trans = get_html_translation_table($type);
$trans[chr(130)] = '‚'; // Single Low-9 Quotation Mark
$trans[chr(131)] = 'ƒ'; // Latin Small Letter F With Hook
$trans[chr(132)] = '„'; // Double Low-9 Quotation Mark
$trans[chr(133)] = '…'; // Horizontal Ellipsis
$trans[chr(134)] = '†'; // Dagger
$trans[chr(135)] = '‡'; // Double Dagger
$trans[chr(136)] = 'ˆ'; // Modifier Letter Circumflex Accent
$trans[chr(137)] = '‰'; // Per Mille Sign
$trans[chr(138)] = 'Š'; // Latin Capital Letter S With Caron
$trans[chr(139)] = '‹'; // Single Left-Pointing Angle Quotation Mark
$trans[chr(140)] = 'Œ'; // Latin Capital Ligature OE
$trans[chr(145)] = '‘'; // Left Single Quotation Mark
$trans[chr(146)] = '’'; // Right Single Quotation Mark
$trans[chr(147)] = '“'; // Left Double Quotation Mark
$trans[chr(148)] = '”'; // Right Double Quotation Mark
$trans[chr(149)] = '•'; // Bullet
$trans[chr(150)] = '–'; // En Dash
$trans[chr(151)] = '—'; // Em Dash
$trans[chr(152)] = '˜'; // Small Tilde
$trans[chr(153)] = '™'; // Trade Mark Sign
$trans[chr(154)] = 'š'; // Latin Small Letter S With Caron
$trans[chr(155)] = '›'; // Single Right-Pointing Angle Quotation Mark
$trans[chr(156)] = 'œ'; // Latin Small Ligature OE
$trans[chr(159)] = 'Ÿ'; // Latin Capital Letter Y With Diaeresis
$trans['euro'] = '€'; // euro currency symbol
ksort($trans);
return $trans;
}
?>
keenskelly at gmail dot com
07-Jul-2008 08:23
07-Jul-2008 08:23
So here's something fun: if you create an XML document in PHP and use htmlentities() to encode text data, then later want to read and parse the same document with PHP's xml_parse(), unless you include entity declarations into the generated document, the parser will stop on the unknown entities.
To account for this, I created a small function to take the translation table and turn it into XML <!ENTITY> definitions. I insert this output into the XML document immediately after the <?xml?> line and the parse errors magically vanish:
// Generate a list of entity declarations from the HTML_ENTITIES set that PHP knows about to dump into the document
function htmlentities_entities() {
$output = '';
foreach (get_html_translation_table(HTML_ENTITIES) as $value) {
$name = substr($value, 1, strlen($value) - 2);
switch ($name) {
// These ones we can skip because they're built into XML
case 'nbsp':
case 'gt':
case 'lt':
case 'quot':
case 'apos':
case 'amp': break;
default: $output .= "<!ENTITY {$name} \"&{$name};\">\n";
}
}
return($output);
}
anju at mycompany dot com
24-Jun-2008 10:32
24-Jun-2008 10:32
The example below was very helpful. I was trying to make an rss feed for the data which comes from various sources. Thanks Cameron.
cameron at prolifique dot com
http://www.prolifique.com/entities.php.txt
silverquick at gmail dot com
18-Jun-2008 01:22
18-Jun-2008 01:22
@vicrry at yahoo dot com
This function does encode *non-breaking* spaces to , but normal spaces are not equivalent to .
nacho dot exr at gmail dot com
23-May-2008 01:25
23-May-2008 01:25
For the <mat at matinfo dot ch> function 'convertLatin1ToHtml'
a performance improvement: use strtr instead of str_replace:
foreach ($html_entities as $key => $value) {
$str = str_replace($key, $value, $str);
}
goes to:
$str = strtr($str,$html_entities);
that's all ;)
eric at tillandsia dot nl
13-May-2008 10:06
13-May-2008 10:06
I don't know, but I get a lott of warnings about unknown html entities when I use the function:
htmlentities($str,HTML_ENTITIES,'UTF-8')
The function below works fine for me, just a replacement by a decimal coding.
A str_replace for each possible latin character in a string as in an earlier example using a hash table is slowing down the script, because you go through the string for each latin character again. In the example below, you will go through it only once.
function parseXMLcoding($string)
{
if ( strlen($string) == 0 )
return $string;
$string = preg_split("//", $string, -1, PREG_SPLIT_NO_EMPTY);
for ( $i = 0; $i < count($string); $i++ )
{
$dec = ord($string[$i]);
if ( $dec > 127 )
$string[$i] = '&#' . $dec . ';';
}
return implode('',$string);
}
vicrry at yahoo dot com
25-Apr-2008 07:33
25-Apr-2008 07:33
my code has been like this ugly all the time:
echo nl2br( str_replace(' ',' ', htmlentities( $string ) ) );
it would be great if this function has the option to encode spaces to (s), because it's also among the html special char equivalents.
mat at matinfo dot ch
21-Apr-2008 09:34
21-Apr-2008 09:34
Hi,
below a method to convert UTF-8 Latin-1 characters to HTML-Entity,
I'm created this to translate string with HTML element on it and i just wont to convert entities.
function convertLatin1ToHtml($str) {
$html_entities = array (
"&" => "&", #ampersand
"á" => "á", #latin small letter a
"Â" => "Â", #latin capital letter A
"â" => "â", #latin small letter a
"Æ" => "Æ", #latin capital letter AE
"æ" => "æ", #latin small letter ae
"À" => "À", #latin capital letter A
"à" => "à", #latin small letter a
"Å" => "Å", #latin capital letter A
"å" => "å", #latin small letter a
"Ã" => "Ã", #latin capital letter A
"ã" => "ã", #latin small letter a
"Ä" => "Ä", #latin capital letter A
"ä" => "ä", #latin small letter a
"Ç" => "Ç", #latin capital letter C
"ç" => "ç", #latin small letter c
"É" => "É", #latin capital letter E
"é" => "é", #latin small letter e
"Ê" => "Ê", #latin capital letter E
"ê" => "ê", #latin small letter e
"È" => "È", #latin capital letter E
... sorry cutting because limitation of php.net ...
... but the principle is it ;) ...
"û" => "û", #latin small letter u
"Ù" => "Ù", #latin capital letter U
"ù" => "ù", #latin small letter u
"Ü" => "Ü", #latin capital letter U
"ü" => "ü", #latin small letter u
"Ý" => "Ý", #latin capital letter Y
"ý" => "ý", #latin small letter y
"ÿ" => "ÿ", #latin small letter y
"Ÿ" => "Ÿ", #latin capital letter Y
);
foreach ($html_entities as $key => $value) {
$str = str_replace($key, $value, $str);
}
return $str;
}
za at byza dot it
15-Apr-2008 07:15
15-Apr-2008 07:15
Trouble when using files with different charset?
htmlentities and html_entity_decode can be used to translate between charset!
Sample function:
function utf2latin($text) {
$text=htmlentities($text,ENT_COMPAT,'UTF-8');
return html_entity_decode($text,ENT_COMPAT,'ISO-8859-1');
}
richard at aggmedia dot net
13-Mar-2008 05:32
13-Mar-2008 05:32
From SR:
> There's no sane reason to use htmlentities() instead
> of htmlspecialchars(). As long as you specify the charset
> of a page with a Content-Type meta in the head of a
> page (which you should ALWAYS do in the first place),
> escaping all characters is completely pointless and will
> only grow the size of your page. Only the special HTML
> characters (<, >, &, etc.) need to be escaped, which is
> exactly what htmlspecialchars() does
This is inaccurate and unhelpful.
There are many cases where you would want to convert a UTF-8 (or other) encoded string into appropriate HTML entity representations, as well as being just good practice to use more compatable entities instead of embedded character encodings.
One such example is when using JavaScript for string manipulation, which doesn't support character sets and thus does not respect the UTF-8 BOM. By converting to full entities, JavaScript works with the entity text instead of byte codes.
So long as the developer understands what is happening with encoding and how character sets work, they should make their own call on which function they need to use.
sitefr at gmail dot com
26-Feb-2008 11:51
26-Feb-2008 11:51
@ iraiscoming [AT] g m a i l [DOT] com
To encode chars lik "'", "\", "?", etc jou could also use the function rawurlencode();
- R
rafael at phpit dot com dot br
25-Jan-2008 06:27
25-Jan-2008 06:27
Looking forward to make an htmlentities that substitutes everything but tags, I've made a solution that goes against "olito24 at gmx dot de" proposed snippet...
Here it goes!
<?php
function htmlButTags($str) {
// Take all the html entities
$caracteres = get_html_translation_table(HTML_ENTITIES);
// Find out the "tags" entities
$remover = get_html_translation_table(HTML_SPECIALCHARS);
// Spit out the tags entities from the original table
$caracteres = array_diff($caracteres, $remover);
// Translate the string....
$str = strtr($str, $caracteres);
// And that's it!
return $str;
}
?>
Any improvement will be much appreciated! :)
iraiscoming [AT] g m a i l [DOT] com
22-Jan-2008 11:29
22-Jan-2008 11:29
As "realcj at g mail dt com" wrote in a comment for flashentities, here's an "extension" for reading wordpress cookies and using the addresses and e-mails in them:
<?php
function wp_entities($string, $encode = 0){
$a = (int) $encode;
$original = array("&","'",":","/","@");
$entities = array("%26","%27","%3A","%2F","%40");
if($a == 1)
return str_replace($original, $entities, $string);
else
return str_replace($entities, $original, $string);
}
?>
Just set the second argument to 1 (int) to make the function act the opposite way. :)
Hope it will be useful!
TKVLPUAIBSDB at spammotel dot com
14-Nov-2007 02:11
14-Nov-2007 02:11
Yet another "help paste from MS Word" function. Characters from ISO-8859-1 charset are left in peace, while entities are built for non-standard characters from Windows CP1252.
function win1252toIso( $string ) {
// These chars seem to be not contained
// in php's CP1252 translation table
static $extensions = array(
142 => "Ž",
158 => "ž"
);
// Go through string and decide char by char:
// "leave as is or build entity?"
$newStr = "";
for( $i=0; $i < strlen( $string ); $i++ ) {
$ord = ord( $string[$i] );
if ( in_array( $ord, array_keys( $extensions ) ) ) {
// build entity using extra translation table
$newStr .= $extensions[$ord];
}
else {
// build entity using php's translation table
// or leave as is
$newStr .= ( $ord > 127 && $ord < 160 ) ?
htmlentities( $string[$i], ENT_NOQUOTES, "CP1252" )
: $string[$i];
}
}
return $newStr;
}
SR
15-Oct-2007 10:57
15-Oct-2007 10:57
There's no sane reason to use htmlentities() instead of htmlspecialchars(). As long as you specify the charset of a page with a Content-Type meta in the head of a page (which you should ALWAYS do in the first place), escaping all characters is completely pointless and will only grow the size of your page. Only the special HTML characters (<, >, &, etc.) need to be escaped, which is exactly what htmlspecialchars() does.
marktpitman at gmail dot com
15-Oct-2007 05:21
15-Oct-2007 05:21
I just thought I would add that if you're using the default charset, htmlentities will not correctly return the trademark ( ™ ) sign.
Instead it will return something like this: �
If you need the trademark symbol, use:
htmlentities( $html, ENT_QUOTES, "UTF-8" );
Anonymous Coward
09-Oct-2007 04:29
09-Oct-2007 04:29
Another version of the xml special characters string conversion, this one also takes care of ascii chars in range 128 to 255
$asc2uni = Array();
for($i=128;$i<256;$i++){
$asc2uni[chr($i)] = "&#x".dechex($i).";";
}
function XMLStrFormat($str){
global $asc2uni;
$str = str_replace("&", "&", $str);
$str = str_replace("<", "<", $str);
$str = str_replace(">", ">", $str);
$str = str_replace("'", "'", $str);
$str = str_replace("\"", """, $str);
$str = str_replace("\r", "", $str);
$str = strtr($str,$asc2uni);
return $str;
}
ferrettinico at gmail dot com
04-Oct-2007 07:13
04-Oct-2007 07:13
Hi, from some machines (Mac for example), when submiting a form characters with accents makes the wrong encode.
For example: í -> í instead of í
halocastle at yahoo dot com
04-Sep-2007 12:03
04-Sep-2007 12:03
Okay, so maybe this SHOULD be posted under Urlencode, but there's more talk of foiling XSS attacks here than there, so…
Be VERY careful validating submitted data not to miss something. By that I mean EVERYTHING passed in the $_POST array, including keys (the names of the form fields themselves) is susceptible to XSS attacks. Any hack can add whatever they want to your form and submit it to your script:
<input type="hidden" name="<script>alert('…the form_fields_NAMES can get you, too!');</script>" value="We all validate form_field_VALUES, but…">
Step one of course is to adopt a sensible naming convention for your form fields, to whit: name="always_lower_case" (underscores do NOT get encoded because they are valid URL characters). So, you should never find a "%" in one of your form field NAMES. Here's what I do:
foreach($_POST as $key => $val) {
// scrubbing the field NAME...
if(preg_match('/%/', urlencode($key)*)) die('FATAL::XSS hack attempt detected. Your IP has been logged.');
// okay, got here, now scrubbing the field VALUE...
[ scrub $val here by using htmlentities or a custom replacement function ];
...;
}
* %3Cscript%3Ealert%28%27%85the+form_fields_NAMES+can+get+you%...
P.S. Yes, remove the asterisk!
Ashus
27-Jun-2007 10:36
27-Jun-2007 10:36
This should basically protect the mail addresses on webpages:
<?php
function InsertMail($mail)
{
if ($mail=='') return '';
$mail = str_replace(array('@',':','.'), array('@',':','.'), $mail);
$mail = '<a href=mailto:'.$mail.'>'.$mail.'</a>';
$len = strlen($mail);
$i=0;
while($i<$len)
{
$c = mt_rand(1,4);
$par[] = (substr($mail, $i, $c));
$i += $c;
}
$join = implode('"+ "', $par);
return '<script language=javascript>
<!--
document.write("'.$join.'")
//-->
</script>';
}
echo InsertMail ('user@example.com');
?>
Prints a javascript, that joins a bunch of randomly long substrings (1-4) of hyperlink prefix mailto and email address, considering that the chars . : and @ are replaced by html entities. It should work just fine.
Justin
15-Jun-2007 07:21
15-Jun-2007 07:21
In response to soapergem at gmail dot com 10-May-2006 02:14 - If any of you are attempting to use this or anything else to foil XSS attacks, test this or any other function out _first_ before you put it into a development environment. To test out if you think your code will pass, just visit http://www.gnucitizen.org/xssdb/application.htm for some potential attacks. After doing this myself it is apparent that just simply using htmlspecialchars is sufficient.
D. Gasser
24-Apr-2007 08:40
24-Apr-2007 08:40
When using UTF-8 as charset, you'll have to set UTF-8 in braces, otherwise the varaible is not recognized.
ghoffman at salientdigital dot com
04-Apr-2007 09:17
04-Apr-2007 09:17
If you are looking for a comprehensive visual list of entities check here:
http://www.w3schools.com/tags/ref_entities.asp
q (dot) rendeiro (at) gmail (dot) com
07-Mar-2007 02:41
07-Mar-2007 02:41
I've seen lots of functions to convert all the entities, but I needed to do a fulltext search in a db field that had named entities instead of numeric entities (edited by tinymce), so I searched the tinymce source and found a string with the value->entity mapping. So, i wrote the following function to encode the user's query with named entities.
The string I used is different of the original, because i didn't want to convert ' or ". The string is too long, so I had to cut it. To get the original check TinyMCE source and search for nbsp or other entity ;)
<?php
$entities_unmatched = explode(',', '160,nbsp,161,iexcl,162,cent, [...] ');
$even = 1;
foreach($entities_unmatched as $c) {
if($even) {
$ord = $c;
} else {
$entities_table[$ord] = $c;
}
$even = 1 - $even;
}
function encode_named_entities($str) {
global $entities_table;
$encoded_str = '';
for($i = 0; $i < strlen($str); $i++) {
$ent = @$entities_table[ord($str{$i})];
if($ent) {
$encoded_str .= "&$ent;";
} else {
$encoded_str .= $str{$i};
}
}
return $encoded_str;
}
?>
realcj at g mail dt com
06-Nov-2006 08:41
06-Nov-2006 08:41
If you are building a loadvars page for Flash and have problems with special chars such as " & ", " ' " etc, you should escape them for flash:
Try trace(escape("&")); in flash' actionscript to see the escape code for &;
% = %25
& = %26
' = %27
<?php
function flashentities($string){
return str_replace(array("&","'"),array("%26","%27"),$string);
}
?>
Those are the two that concerned me. YMMV.
chuck at broker[remove]bin dot com
01-Nov-2006 03:33
01-Nov-2006 03:33
/*
replaces everything but
alphanumeric
tab
newline
carriage return
*/
function allhtmlentities($string,$decode_first=true) {
// this is to ensure that any entities already coded are not "messed up"
if($decode_first) $string = html_entity_decode($string);
// "encode"
return preg_replace(
'/([^\x09\x0A\x0D\x20-\x7F]|[\x21-\x2F]|[\x3A-\x40]|[\x5B-\x60])/e'
, '"&#".ord("$0").";"', $string);
}
eric.wallet at yahoo.fr
26-Sep-2006 02:57
26-Sep-2006 02:57
function htmlnumericentities($str){
return preg_replace('/[^!-%\x27-;=?-~ ]/e', '"&#".ord("$0").chr(59)', $str);
}
function numericentitieshtml($str){
return utf8_encode(preg_replace('/&#(\d+);/e', 'chr(str_replace(";","",str_replace("&#","","$0")))', $str));
}
echo (htmlnumericentities ("Ceci est un test : & é $ à ç <"));
echo ("<br/>\n");
echo (numericentitieshtml (htmlnumericentities ("Ceci est un test : & é $ à ç <")));
Output is :
Ceci est un test : & é $ à ç <<br/>
Ceci est un test : & é $ à ç <
First method convert characters to decimal values.
Second will reverse the problem !!!
lorenzo masetti at libero it
08-Aug-2006 06:44
08-Aug-2006 06:44
i think I found a bug in makeSafeEntities procedure. I don't know why but if the string has a special charachter as the last one (e.g. 'liberté') the result will be truncated ('libert')
I solved by adding and taking a way a blank at the end of the string , it is not the most elegant solution but it works
This is the part that I changed in the original code that is at http://www.prolifique.com/entities.php.txt
<?php
function makeSafeEntities($str, $convertTags = 0, $encoding = "") {
if (is_array($arrOutput = $str)) {
foreach (array_keys($arrOutput) as $key)
$arrOutput[$key] = makeSafeEntities($arrOutput[$key],$encoding);
return $arrOutput;
}
else if (!empty($str)) {
$str .= " ";
$str = makeUTF8($str,$encoding);
$str = mb_convert_encoding($str,"HTML-ENTITIES","UTF-8");
$str = makeAmpersandEntities($str);
if ($convertTags)
$str = makeTagEntities($str);
$str = correctIllegalEntities($str);
return substr($str, 0, strlen($str)-1);
}
}
?>
daviscabral[arroba]gmail[ponto]com
28-Jul-2006 10:52
28-Jul-2006 10:52
unhtmlentities for all entities:
<?php
function unhtmlentities ($string) {
$trans_tbl1 = get_html_translation_table (HTML_ENTITIES);
foreach ( $trans_tbl1 as $ascii => $htmlentitie ) {
$trans_tbl2[$ascii] = '&#'.ord($ascii).';';
}
$trans_tbl1 = array_flip ($trans_tbl1);
$trans_tbl2 = array_flip ($trans_tbl2);
return strtr (strtr ($string, $trans_tbl1), $trans_tbl2);
}
?>
info at pirandot dot de
22-Jul-2006 05:14
22-Jul-2006 05:14
Unfortunately, there are differences between what is shown in the preview window and what is shown on the web site; thus, the extreme number of backslashes in my former note.
The corrected note:
The data returned by a text input field is ready to be used in a data base query when enclosed in single quotes, e.g.
<?php
mysql_query ("SELECT * FROM Article WHERE id = '$data'");
?>
But you will get problems when writing back this data into the input field's value,
<?php
echo "<input name='data' type='text' value='$data'>";
?>
because hmtl codes would be interpreted and escape sequences would cause strange output.
The following function may help:
<?php
function deescape ($s, $charset='UTF-8')
{
// don't interpret html codes and don't convert quotes
$s = htmlentities ($s, ENT_NOQUOTES, $charset);
// delete the inserted backslashes except those for protecting single quotes
$s = preg_replace ("/\\\\([^'])/e", '"&#" . ord("$1") . ";"', $s);
// delete the backslashes inserted for protecting single quotes
$s = str_replace ("\\'", "&#" . ord ("'") . ";", $s);
return $s;
}
?>
Try some input like: a'b"c\d\'e\"f\\g&x#27;h to test ...
soapergem at gmail dot com
10-May-2006 09:14
10-May-2006 09:14
A quick revision to my last comment. For some reason, leaving the control characters in the safe range seemed to screw things up. So instead, using this function will do what everybody else here is trying to do, but it will do so in a single line:
<?php
$text = preg_replace('/[^\x09\x0A\x0D\x20-\x7F]/e', '"&#".ord($0).";"', $text);
?>
cameron at prolifique dot com
10-May-2006 09:01
10-May-2006 09:01
I've been asked why I assembled such intricate functions to convert to entities when I could use a very simple solution (like the one offered by soapergem below). The biggest reason is that the PHP htmlentities function and most of the other solutions listed below go haywire on multi-byte strings.
In addition, the entire range of numbered entities from  through Ÿ are invalid characters, and should not be used (as noted by mail at britlinks dot com below). Most htmlentity functions also do not convert ampersands or pointy brackets (<>) to entities. The ones that do often reconvert existing entities (& becomes &amp;).
cameron at prolifique dot com
06-May-2006 03:02
06-May-2006 03:02
I've been dissatisfied with all the solutions I've yet seen for converting text into html entities, which all seem to have some drawback or another. So I wrote my own, borrowing heavily from other code posted on this site.
http://www.prolifique.com/entities.php.txt
makeSafeEntities() should take any text, convert it from the specified charset into UTF-8, then replace all inappropriate characters with appropriate (and legal) character entities, returning generic ISO-8859 HTML text. Should NOT reconvert any entities already in the text.
makeAllEntities() does the same, but converts the entire string to entities. Useful for obscuring email addresses (in a lame but nonetheless somewhat effective way).
Suggestions for improvement welcome!
soapergem at gmail dot com
29-Apr-2006 09:53
29-Apr-2006 09:53
Here's another version of that "allhtmlentities" function that an anonymous user posted in the last comment, only this one would be significantly more efficient. Again, this would convert anything that has an ASCII value higher than 127.
<?php
function allhtmlentities($string)
{
return preg_replace('/[^\x00-\x7F]/e', '"&#".ord("$0").";"', $string);
}
?>
anonymous
26-Apr-2006 10:38
26-Apr-2006 10:38
This function will encode anything that is non Standard ASCII (that is, that is above #127 in the ascii table)
// allhtmlentities : mainly based on "chars_encode()" by Tim Burgan <timburgan@gmail.com> [http://www.php.net/htmlentities]
function allhtmlentities($string) {
if ( strlen($string) == 0 )
return $string;
$result = '';
$string = htmlentities($string, HTML_ENTITIES);
$string = preg_split("//", $string, -1, PREG_SPLIT_NO_EMPTY);
$ord = 0;
for ( $i = 0; $i < count($string); $i++ ) {
$ord = ord($string[$i]);
if ( $ord > 127 ) {
$string[$i] = '&#' . $ord . ';';
}
}
return implode('',$string);
}
eion at bigfoot dot com
21-Feb-2006 02:54
21-Feb-2006 02:54
many people below talk about using
<?php
mb_convert_encode($s,'HTML-ENTITIES','UTF-8');
?>
to convert non-ascii code into html-readable stuff. Due to my webserver being out of my control, I was unable to set the database character set, and whenever PHP made a copy of my $s variable that it had pulled out of the database, it would convert it to nasty latin1 automatically and not leave it in it's beautiful UTF-8 glory.
So [insert korean characters here] turned into ?????.
I found myself needing to pass by reference (which of course is deprecated/nonexistent in recent versions of PHP)
so instead of
<?php
mb_convert_encode(&$s,'HTML-ENTITIES','UTF-8');
?>
which worked perfectly until I upgraded, so I had to use
<?php
call_user_func_array('mb_convert_encoding', array(&$s,'HTML-ENTITIES','UTF-8'));
?>
Hope it helps someone else out
Bartek
01-Feb-2006 12:06
01-Feb-2006 12:06
I use this function to convert imput from MS Word into html (ascii) compatible output. I hope it would work also for you.
I have enabled magic_quotes on my server so maybe you won't need stripslashes and addslashes.
I've also noticed that Opera 8.51 browses behaves somehow different from IE 6 and Firefox 1.5. I haven't check this functions with other browsers.
<?php
function convert_word_to_ascii($string)
{
$string = stripslashes($string);
if ( stristr($_SERVER['HTTP_USER_AGENT'], "Opera") )
$search = array('‘',
chr(96),
'’',
'„',
'”',
'“',
'…',
'–');
if ( stristr($_SERVER['HTTP_USER_AGENT'], "Firefox") || stristr($_SERVER['HTTP_USER_AGENT'], "MSIE") )
$search = array(chr(145),
chr(146),
chr(96),
chr(132),
chr(147),
chr(148),
chr(133),
chr(150));
$replace = array( "'",
"'",
"'",
'"',
'"',
'"',
'...',
'-');
$new_string = str_replace($search, $replace, $string);
return addslashes($new_string);
};
?>
24-Jan-2006 03:20
Please, don't use htmlentities to avoid XSS! Htmlspecialchars is enough!
If you don't specify the encoding, Latin1 will be used, so there is a problem if someone wants to use your software in a non-English environment.
mailing at jcn50 dot com
21-Jan-2006 08:25
21-Jan-2006 08:25
Convert any language (Japanese, French, Chinese, Russian, etc...) to unicode HTML entities like &#XXXX;
In one line!
$new=mb_convert_encoding($s,"HTML-ENTITIES","auto");
where $s is your string (may be a FORM submitted one).
Enjoy~
edo at edwaa dot com
18-Nov-2005 06:48
18-Nov-2005 06:48
A version of the xml entities function below. This one replaces the "prime" character () with which I had difficulties.
// XML Entity Mandatory Escape Characters
function xmlentities($string) {
return str_replace ( array ( '&', '"', "'", '<', '>', '' ), array ( '&' , '"', ''' , '<' , '>', ''' ), $string );
}
info at bleed dot ws
15-Oct-2005 08:42
15-Oct-2005 08:42
here the centralized version of htmlentities() for multibyte.
<?php
function mb_htmlentities($string)
{
$string = htmlentities($string, ENT_COMPAT, mb_internal_encoding());
return $string;
}
?>
fanfatal at fanfatal dot pl
28-Aug-2005 12:28
28-Aug-2005 12:28
I wrote usefull function which is support iso-8859-2 encoding with htmlentities function ;]
<?php
/*
* Function htmlentities which support iso-8859-2
*
* @param string
* @return string
* @author FanFataL
*/
function htmlentities_iso88592($string='') {
$pl_iso = array('ê', 'ó', '±', '¶', '³', '¿', '¼', 'æ', 'ñ', 'Ê', 'Ó', '¡', '¦', '£', '¬', '¯', 'Æ', 'Ñ');
$entitles = get_html_translation_table(HTML_ENTITIES);
$entitles = array_diff($entitles, $pl_iso);
return strtr($string, $entitles);
}
?>
Greatings ;-)
...
webmaster at swirldrop dot com
26-Jul-2005 09:45
26-Jul-2005 09:45
To replace any characters in a string that could be 'dangerous' to put in an HTML/XML file with their numeric entities (e.g. é for [e acute]), you can use the following function:
function htmlnumericentities($str){
return preg_replace('/[^!-%\x27-;=?-~ ]/e', '"&#".ord("$0").chr(59)', $str);
};//EoFn htmlnumericentities
To change any normal entities (e.g. €) to numerical entities call:
$str = htmlnumericalentities(html_entity_decode($str));
rbotzer at yahoo dot com
20-Jul-2005 12:10
20-Jul-2005 12:10
The existance of html entities such as " inside an xml node causes most xml parsers to throw an error. The following function cleans an input string by converting html entities to valid unicode entities.
<?php
function htmlentities2unicodeentities ($input) {
$htmlEntities = array_values (get_html_translation_table (HTML_ENTITIES, ENT_QUOTES));
$entitiesDecoded = array_keys (get_html_translation_table (HTML_ENTITIES, ENT_QUOTES));
$num = count ($entitiesDecoded);
for ($u = 0; $u < $num; $u++) {
$utf8Entities[$u] = '&#'.ord($entitiesDecoded[$u]).';';
}
return str_replace ($htmlEntities, $utf8Entities, $input);
}
?>
So, an input of
Copyrights © make "me" grin ®
outputs
Copyrights © make "me" grin ®
send at mail dot 2aj dot net
14-Jul-2005 08:03
14-Jul-2005 08:03
If you are programming XML documents and are using the htmlentities function, then performing a str_replace on ' into ' to set mandatory escape characters you can use this simple function instead.
This function, xmlentities, is basically the XML parsing equivalent of htmlentities, with fewer options than its HTML counterpart:
<?php
// XML Entity Mandatory Escape Characters
function xmlentities ( $string )
{
return str_replace ( array ( '&', '"', "'", '<', '>' ), array ( '&' , '"', ''' , '<' , '>' ), $string );
}
?>
Example:
<?php
function xmlentities($string)
{
return str_replace ( array ( '&', '"', "'", '<', '>' ), array ( '&' , '"', ''' , '<' , '>' ), $string );
}
echo xmlentities("If you don't use these mandatory escape characters <tags> between </tags>, XML will \"eXtensively\" & \"implicitly\" give you errors.");
?>
Produces...
If you don't use these mandatory escape characters <tags> between </tags>, XML will "eXtensively" & "implicitly" give you errors.
penfield888 at yahoo dot com
01-Feb-2005 07:40
01-Feb-2005 07:40
This is a followup to the older note by mirrorball_girl (5 Jan 2003) for those who may follow.
Rather than making an exception for the en-dash (#150) and translating it to a hyphen, you could use the – unicode en-dash entity (assuming that you are serving up your pages as UTF-8 or some such encoding.
Also, the whole thing can be done better with mb_detect_order, mb_detect_encoding and mb_convert_encoding if all you want to do is serve up a web page (if you need to convert to pure ASCII, that's another issue). You need to have multi-byte support enabled on your PHP server.
Basically, the problem is with older MS programs that use Windows-1252 for their encoding, so all you really need to do is
- detect for Win-1252
- if present, convert to UTF-8
- serve up your pages as UTF-8
See the manual on Multibyte String Functions for more information.
root at joe-linux.NOSPAM.org
27-Jan-2005 12:48
27-Jan-2005 12:48
It may come to you as a surprise, but i've noticed that in Firefox (as of 1.0), the text presented in "View selection source" is not the same as "View page source"; Il you want to see the REAL result of htmlentities() you should look at the entire source;
almost become mad before i discover this :)
marques at displague dot com
24-Jan-2005 08:01
24-Jan-2005 08:01
htmlEncodeText (below) needs a small tweak, the dash needs to be made literal to get picked up in cases like '<a href="blah-blah.php">'. I have been using this function to parse my postgresql database calls since I have alot of unicode data and I don't want HTML data to be neutered (via htmlentities()).
<?php
function htmlEncodeText ($string)
{
$pattern = '<([a-zA-Z0-9\.\, "\'_\/\-\+~=;:\(\)?&#%![\]@]+)>';
preg_match_all ('/' . $pattern . '/', $string, $tagMatches, PREG_SET_ORDER);
$textMatches = preg_split ('/' . $pattern . '/', $string);
foreach ($textMatches as $key => $value) {
$textMatches [$key] = htmlentities ($value);
}
for ($i = 0; $i < count ($textMatches); $i ++) {
$textMatches [$i] = $textMatches [$i] . $tagMatches [$i] [0];
}
return implode ($textMatches);
}
?>
--Editor note: Combined some corrections to the regex pattern, thanks to fabian dot lange at web dot de, hammertscrew at veryweb dot com, webmaster AT scholesmafia DOT co DOT uk, thomas AT cosifan DOT de and marques at displague dot com---
dumb at coder dot com
17-Jan-2005 02:22
17-Jan-2005 02:22
/*
15Jan05
Within <textarea>, Browsers auto render & display certain "HTML Entities" and "HTML Entity Codes" as characters:
< shows as < -- & shows as & -- etc.
Browsers also auto change any "HTML Entity Codes" entered in a <textarea> into the resultant display characters BEFORE UPLOADING. There's no way to change this, making it difficult to edit html in a <textarea>
"HTML Entity Codes" (ie, use of < to represent "<", & to represent "&"   to represent " ") can be used instead. Therefore, we need to "HTML-Entitize" the data for display, which changes the raw/displayed characters into their HTML Entity Code equivalents before being shown in a <textarea>.
how would I get a textarea to contain "<" as a literal string of characters and not have it display a "<"
&lt; is indeed the correct way of doing that. And if you wanted to display that, you'd need to use &amp;lt;'. That's just how HTML entities work.
htmlspecialchars() is a subset of htmlentities()
the reverse (ie, changing html entity codes into displayed characters, is done w/ html_entity_decode()
google on ns_quotehtml and see http://aolserver.com/docs/tcl/ns_quotehtml.html
see also http://www.htmlhelp.com/reference/html40/entities/
*/
Duane
09-Jan-2005 03:34
09-Jan-2005 03:34
I found using:
preg_replace("/&(?![A-Za-z]{0,4}\w{2,3};|#[0-9]{2,5};)/",
"&",strtr($string, $trans));
didn't trap hex values (such as 的), so instead I ended
up using:
preg_replace("/&(?![A-Za-z]{0,4}\w{2,3};|#[x0-9a-f]{2,6};)/",
"&", strtr($string, $trans));
olito24 at gmx dot de
13-Dec-2004 02:17
13-Dec-2004 02:17
a function to encode everything but html tags. pattern improvement is much appreciated!
function htmlEncodeText ($string)
{
$pattern = '<([a-zA-Z0-9\. "\'_\/-=;\(\)?&#%]+)>';
preg_match_all ('/' . $pattern . '/', $string, $tagMatches, PREG_SET_ORDER);
$textMatches = preg_split ('/' . $pattern . '/', $string);
foreach ($textMatches as $key => $value) {
$textMatches [$key] = htmlentities ($value);
}
for ($i = 0; $i < count ($textMatches); $i ++) {
$textMatches [$i] = $textMatches [$i] . $tagMatches [$i] [0];
}
return implode ($textMatches);
}
duke at redump dot de
01-Nov-2004 04:44
01-Nov-2004 04:44
The function xmlentities works great, but there can be up to 5 numbers after the &# string. See this for example:
ベースボー
ルスターズ2
This is a valid (wrapped) japanese string. To successfully use it with xmlentities, you need to replace
return preg_replace("/&(?![A-Za-z]{0,4}\w{2,3};|#[0-9]{2,3};)/","&" , strtr($string, $trans));
with
return preg_replace("/&(?![A-Za-z]{0,4}\w{2,3};|#[0-9]{2,5};)/","&" , strtr($string, $trans));
(3 to 5).
Duke
tmp1000 at fastmail dot deleteme dot fm
23-Oct-2004 08:07
23-Oct-2004 08:07
Regarding the two great function posted by pinkpather and webwurst; one to encode xml entities, the other to encode only the entities of a string not already encoded. I've combined these two. And IMHO made a small improvement by making the translation table static:
<?php
function xmlentities($string, $quote_style=ENT_QUOTES)
{
static $trans;
if (!isset($trans)) {
$trans = get_html_translation_table(HTML_ENTITIES, $quote_style);
foreach ($trans as $key => $value)
$trans[$key] = '&#'.ord($key).';';
// dont translate the '&' in case it is part of &xxx;
$trans[chr(38)] = '&';
}
// after the initial translation, _do_ map standalone '&' into '&'
return preg_replace("/&(?![A-Za-z]{0,4}\w{2,3};|#[0-9]{2,3};)/","&" , strtr($string, $trans));
}
?>
Here's the snippet of code I'm testing with:
<?php
echo "<p>Testing xmlentities...</p>";
$strings[] = "No entities here.";
$strings[] = "<b>bold</b>";
$strings[] = "Got style? Try K & R.";
echo "<ul>";
foreach ($strings as $string) {
echo "<li>Original string: ".htmlentities($string)."</li>\n";
echo "<li>Encoded once: ".htmlentities(xmlentities($string))."</li>\n";
echo "<li>Encoded twice: ".htmlentities(xmlentities(xmlentities($string)))."</li>\n";
}
echo "</ul>";
?>
Miguel (miguel at sigmanet dot com dot br)
20-Oct-2004 06:43
20-Oct-2004 06:43
This is a simple script that I'm using to encode and decode values from a form. Save it with the name that you wish.
<?php
/* When you call anyone of the two functions, set the $_str
variable to the string that you want to encode or decode */
/* This function encodes the string.
You can safetly use this function to save its result in a
database. It eliminates any space in the beginning ou end
of the string, HTML and PHP tags, and encode any special
char to the usual HTML entities (&[...];), eliminating the
possibility of bugs in inserting data on a table */
function encodeText($_str) {
$_str = strip_tags($_str);
$_str = trim($_str);
$_str = htmlentities($_str);
$_str = str_replace("\r\n", "#BR#", $_str);
return($_str);
}
/* This function decodes the string.
If you are showing the string in the body of a page, you
can set the $_form variable to "false", and the function will
use the "BR" tag to the new lines. But, if you need to show
the string in a textarea, text or other input types of a form
set the $_form variable to "true", then the function will use
the "\r\n" to the new lines */
function decodeText($_str, $_form) {
$trans_tbl = get_html_translation_table (HTML_ENTITIES);
$trans_tbl = array_flip ($trans_tbl);
$_str = strtr($_str, $trans_tbl);
if ($_form) {
$_nl = "\r\n";
} else {
$_nl = "<br>";
}
$_str = str_replace("#BR#", "$_nl", $_str);
return($_str);
}
?>
roland dot swingler at nospam dot transversal dot com
30-Sep-2004 06:39
30-Sep-2004 06:39
You don't need these custom conversion functions.
This function will only work for the first 128 ascii characters if no character set is specified. If you specify the character set in an http header:
<?php
header('Content-type: text/html; charset=utf-8');
htmlentities('string to be encoded', ENT_QUOTES, 'utf-8');
?>
then it will work for all html entities. It outputs the named rather than the numerical entities, but html_entity_decode() will decode both numerical and textual entities (it will treat € and € as the same).
BTW, if you are dealing with form submitted data, it is a good idea to add the accept-charset="character set" attribute
to the form as well.
cd at NOSPAM dot deluxe dot cd
20-Sep-2004 07:47
20-Sep-2004 07:47
allthough it is much more complex than this, please note that if you're using xhtml the character encoding you specify within your document is "associated" with the encoding used by php.
e.g.:
<?xml version="1.0" encoding="..."?>
may also assess the manner form data is submitted. as it is prepared before sending it does not matter whether it is post or get.
to give you something stoutly have a look at mozilla firefox (0.9.3) where submitting form data...
<?xml version="1.0" encoding="ISO-8859-1"?>
...converts to %E4
<?xml version="1.0" encoding="UTF-8"?>
...converts to %C3%A4
or at internet explorer (6.0) where encoding is ignored while submit but default values of an input field let you recognize the same thing.
this may confuse you getting the desired ä afterwards.
porge
31-Aug-2004 06:09
31-Aug-2004 06:09
Thanks attila at roughdot dot com, however I changed this to :
"/&(?![A-Za-z]{0,4}\w{2,3};|#[0-9]{2,4};|#x[0-9a-fA-F]{2,4};)/"
in order to also to match hex-coded entities.
attila at roughdot dot com
04-Aug-2004 08:25
04-Aug-2004 08:25
Thx for that function, pinkpanther at swissonline dot ch, though the number of digits after the '#' can be 4, not 3.
I bumped into this when struggeling with the euro sign (€).
function htmlentities2( $myHTML)
{
$translation_table = get_html_translation_table( HTML_ENTITIES, ENT_QUOTES);
$translation_table[chr( 38)] = '&';
return preg_replace( "/&(?![A-Za-z]{0,4}\w{2,3};|#[0-9]{2,4};)/", "&" , strtr( $myHTML, $translation_table));
}
m227 at poczta dot onet dot pl
26-May-2004 01:00
26-May-2004 01:00
// tested with PHP 4.3.4, Apache 1.29
// function works like original htmlentities
// but preserves Polish characters encoded in CP-1250
// (Windows code page) from false conversion
// m227@poczta.onet.pl, 2004
function htmlentities1250($str)
{
// four chars does not need any conversion
// s` (9c), z` (9f), Z` (8f), S` (8c)
$trans = array(
"³" => "\xb3", // "l-"
"¹" => "\xb9", // "a,"
"ê" => "\xea", // "e,"
"æ" => "\xe6", // "c`"
"ñ"=> "\xf1", // "n`"
"¿"=> "\xbf", // "z."
"¥" => "\xa5", // "A,"
"Æ" => "\xc6", // "C`"
"¯" => "\xaf", // "Z."
"Ê" => "\xca", // "E,"
"ó"=> "\xf3", // "o`"
"Ó"=> "\xd3", // "O`"
"£" => "\xa3", // "L-"
"Ñ"=> "\xd1" // "N`"
);
return strtr(htmlentities($str), $trans);
}
mail at britlinks dot com
19-May-2004 07:27
19-May-2004 07:27
similar to cedric at shift-zone dot be's function, this 'cleans up' text from MS Word, and other non-alphanumeric characters to their valid [X]HTML counterparts
<?php
// strips slashes, and converts special characters to HTML equivalents for string defined in $var
function htmlfriendly($var,$nl2br = false){
$chars = array(
128 => '€',
130 => '‚',
131 => 'ƒ',
132 => '„',
133 => '…',
134 => '†',
135 => '‡',
136 => 'ˆ',
137 => '‰',
138 => 'Š',
139 => '‹',
140 => 'Œ',
142 => 'Ž',
145 => '‘',
146 => '’',
147 => '“',
148 => '”',
149 => '•',
150 => '–',
151 => '—',
152 => '˜',
153 => '™',
154 => 'š',
155 => '›',
156 => 'œ',
158 => 'ž',
159 => 'Ÿ');
$var = str_replace(array_map('chr', array_keys($chars)), $chars, htmlentities(stripslashes($var)));
if($nl2br){
return nl2br($var);
} else {
return $var;
}
}
?>
cedric at shift-zone dot be
04-May-2004 04:02
04-May-2004 04:02
This is a conversion function for special chars.
Very usefull to convert a word document into valid html
(the html provided is successfully parsed by sablotron 0.97 using iso-8859-1 charset) :
function convertDoc2HTML($txt){
$len = strlen($txt);
$res = "";
for($i = 0; $i < $len; ++$i) {
$ord = ord($txt{$i});
// check only non-standard chars
if($ord >= 126){
$res .= "&#".$ord.";";
}
else {
// escape ", ' and \ chars
switch($ord){
case 34 :
$res .= "\\\"";
break;
case 39 :
$res .= "\'";
break;
case 92 :
$res .= "\\\\";
break;
default : // the rest does not have to be modified
$res .= $txt{$i};
}
}
}
return $res;
}
jake_mcmahon at hotmail dot com
30-Apr-2004 12:29
30-Apr-2004 12:29
This fuction is particularly useful against XSS (cross-site-scripting-). XSS makes use of holes in code, whether it be in Javascript or PHP. XSS often, if not always, uses HTML entities to do its evil deeds, so this function in co-operation with your scripts (particularly search or submitting scripts) is a very useful tool in combatting "H4X0rz".
Guillaume Beaulieu
12-Apr-2004 12:10
12-Apr-2004 12:10
Here's a simple script to transform filename with accented character in it into much more usable unaccented character for a restrictive filesystem.
$string = htmlentities($stringToModify);
/* Take the first letter of the entity (if you got filename with ([<>] in it the result will probably remain lookable*/
$string = preg_replace("/\&(.)[^;]*;/", "\\1", $string);
/* Change the whitespace into _*/
$string = preg_replace("/[ ]/", "_", $string);
/* Dance ! */
print $string;
Funky Ants
04-Apr-2004 10:55
04-Apr-2004 10:55
I had a problem working with partially html encoded data, with a selection of unescaped ampersands, hex coded, and characters in "&", style.
Which ive finally overcome by decoding all of the data, adn then reincoding it all.
I found a combination of a couple of peoples work useful.
function get_htmlspecialchars( $given, $quote_style = ENT_QUOTES ){
return htmlentities( unhtmlentities( $given ) , $quote_style );
}
function unhtmlentities( $string ){
$trans_tbl = get_html_translation_table ( HTML_ENTITIES );
$trans_tbl = array_flip( $trans_tbl );
$ret = strtr( $string, $trans_tbl );
return preg_replace( '/&#(\d+);/me' , "chr('\\1')" , $ret );
}
wwb at 3dwargamer dot net
01-Apr-2004 03:49
01-Apr-2004 03:49
htmlentites is a very handy function, but it fails to fix one thing which I deal with alot: word 'smart' quotes and emdashes.
The below function replaces the funky double quotes with ", funky single quotes with standard single quotes and fixes emdashes.
function CleanupSmartQuotes($text)
{
$badwordchars=array(
chr(145),
chr(146),
chr(147),
chr(148),
chr(151)
);
$fixedwordchars=array(
"'",
"'",
'"',
'"',
'—'
);
return str_replace($badwordchars,$fixedwordchars,$text);
}
arjini at mac dot com
19-Mar-2004 09:49
19-Mar-2004 09:49
If you're looking to provide bare bones protection to email addresses posted to the web try this:
###
$string = 'arjini@mac.com';
for($i=0;$i<strlen($string);++$i){
$n = rand(0,1);
if($n)
$finished.='&#x'.sprintf("%X",ord($string{$i})).';';
else
$finished.='&#'.ord($string{$i}).';';
}
echo $finished;
###
This randomly encodes a mix of hex and oridinary HTML entities for every character in the address. Note that a decoding mechanism for this could probably be written just as easily, so eventually the bots will be able to cut through this like butter, but for now, it seems like most harvesters are only looking for non-hex html entities.
stewey at ambitious dot ca
05-Mar-2004 04:11
05-Mar-2004 04:11
This version of macRomanToIso (originally posted by: marcus at synchromedia dot co dot uk) offers a couple of improvements. First, it removes the extra slashes '\' that broke the original function. Second, it adds four quote characters not supported in ISO 8859-1. These are the left double quote, right double quote, left single quote and right single quote.
Be sure to remove the line breaks from the two strings going into strtr or this function will not work properly.
Be careful what text you apply this to. If you apply it to ISO 8859-1 encoded text it will likely wreak havoc. I'll save you some trouble with this bit of advice: don't bother trying to detect what charset a certain text file is using, it can't be done reliably. Instead, consider making assumptions based upon the HTTP_USER_AGENT, or prompting the user to specify the character encoding used (perhaps both).
<?php
/**
* Converts MAC OS ROMAN encoded strings to the ISO 8859-1 charset.
*
* @param string the string to convert.
* @return string the converted string.
*/
function macRomanToIso($string)
{
return strtr($string,
"\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b
\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97
\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa1\xa4\xa6\xa7
\xa8\xab\xac\xae\xaf\xb4\xbb\xbc\xbe\xbf\xc0\xc1
\xc2\xc7\xc8\xca\xcb\xcc\xd6\xd8\xdb\xe1\xe5\xe6
\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf1\xf2\xf3
\xf4\xf8\xfc\xd2\xd3\xd4\xd5",
"\xc4\xc5\xc7\xc9\xd1\xd6\xdc\xe1\xe0\xe2\xe4\xe3
\xe5\xe7\xe9\xe8\xea\xeb\xed\xec\xee\xef\xf1\xf3
\xf2\xf4\xf6\xf5\xfa\xf9\xfb\xfc\xb0\xa7\xb6\xdf\xae
\xb4\xa8\xc6\xd8\xa5\xaa\xba\xe6\xf8\xbf\xa1\xac
\xab\xbb\xa0\xc0\xc3\xf7\xff\xa4\xb7\xc2\xca\xc1
\xcb\xc8\xcd\xce\xcf\xcc\xd3\xd4\xd2\xda\xdb\xd9
\xaf\xb8\x22\x22\x27\x27");
}
?>
Julien CROUZET
27-Nov-2003 10:01
27-Nov-2003 10:01
If you are looking for a htmlentities inverse :
<?
$table = array_flip(get_html_translation_table(HTML_ENTITIES));
$plaintext = strtr($html, $table);
?>
Here is a full example to extract plaintext from a SIMPLE html page (not table, etc...)
<?
$file_content = file_get_contents($htmlfile);
$file_content = strip_tags($file_content, '<br>');
$file_content = preg_replace('/<br( )?(\/)?>/i', "\n", $file_content);
$file_content = wordwrap($file_content);
$table = array_flip(get_html_translation_table(HTML_ENTITIES));
$file_content = strtr($file_content, $table);
?>
root[noSPAM]cyberdark.net
24-Nov-2003 04:53
24-Nov-2003 04:53
A little function that may help someone. Is useful where, FE, someone writes a text through a content management panel and is also able to put html (bolds, italics,...), so we don't want to convert html tags but all the rest. The code offers a few examples of extra entities.
function myhtmlentities($str) {
$tbl=get_html_translation_table(HTML_ENTITIES);
unset ($tbl["<"]);
unset ($tbl[">"]);
unset ($tbl["'"]);
unset ($tbl['"']);
$tbl[""]=""";
$tbl[""]=""";
$tbl[""]="...";
$tbl[""]="-";
$tbl[""]="»";
$tbl[""]="«";
return str_replace(array_keys($tbl),array_values($tbl),$str);
}
dmurphy at telegeography dot com
19-Sep-2003 09:14
19-Sep-2003 09:14
// htmlentities() does not support Mac Roman, so this is a workaround. It requires the below table.
// This function runs on a Mac OSX machine, where text is stored in the Mac Roman character set inside a Mac OSX MySQL table.
function custom_htmlentities ($string, $table) {
// Loop throught the array, replacing each ocurrance
for ($n = 0; $n < count($table); $n++) {
$table_line = each($table);
// use the chr function to get the one character string for each ascii decimal code
$find_char = chr($table_line[key]);
$replace_string = $table_line[value];
$string = str_replace($find_char, $replace_string, $string);
}
return $string;
}
pinkpanther at swissonline dot ch
28-Jul-2003 12:29
28-Jul-2003 12:29
In case you want a 'htmlentities' function which prevents 'double' encoding of the ampersands of already present entities (> => &gt;), use this:
function htmlentities2($myHTML) {
$translation_table=get_html_translation_table (HTML_ENTITIES,ENT_QUOTES);
$translation_table[chr(38)] = '&';
return preg_replace("/&(?![A-Za-z]{0,4}\w{2,3};|#[0-9]{2,3};)/","&" , strtr($myHTML, $translation_table));
}
defrostdj at defrostdj dot com
25-Jul-2003 10:10
25-Jul-2003 10:10
Here you have a character map function ;)
<?php
function htmldecode($encoded, $char = 'HTML_SPECIALCHARS') {
foreach($encoded as $key => $value){
echo $value .' --> ';
if ($char == 'HTML_SPECIALCHARS') {
echo htmlspecialchars($value);
} else {
echo htmlentities($value);
}
echo '>br<';
}
}
echo 'ENTITIES<>br<><>br<>';
$entities = get_html_translation_table (HTML_ENTITIES);
htmldecode($entities, 'HTML_ENTITIES');
echo '<>br<>SPECIAL CHARACTERS<>br<><>br<>';
$specialchars = get_html_translation_table (HTML_SPECIALCHARS);
htmldecode($specialchars, 'HTML_SPECIALCHARS');
?>
So next time you're developing you'll always have a charmap ready to use.
webwurst at web dot de
29-Jun-2003 10:20
29-Jun-2003 10:20
This function changes all entities to unicode-entities.
For example '<' becomes '<', '' becomes '©', etc.
function xmlentities($string, $quote_style=ENT_COMPAT)
{
$trans = get_html_translation_table(HTML_ENTITIES, $quote_style);
foreach ($trans as $key => $value)
$trans[$key] = '&#'.ord($key).';';
return strtr($string, $trans);
}
Anthony Aragues
24-Jun-2003 02:24
24-Jun-2003 02:24
I found in a previous not the function for encoding the input... which worked great, but it also encoded the   and <br> that was being automatically added in my POST, so I created and Output function to go with it that worked for me:
function VerbatimInput($String)
{
$Output = mysql_escape_string(htmlentities(addslashes($String)));
return $Output;
}
function VerbatimOutput($Input)
{
$Output = str_replace("<br />", "<br>", "$Input");
$Output = str_replace("&nbsp;", " ", "$Output");
return $Output;
}
rob at neorosa dot com
01-Mar-2003 06:12
01-Mar-2003 06:12
This function will encode everything, either using ascii values or special entities:
function encode_everything($string){
$encoded = "";
for ($n=0;$n<strlen($string);$n++){
$check = htmlentities($string[$n],ENT_QUOTES);
$string[$n] == $check ? $encoded .= "&#".ord($string[$n]).";" : $encoded .= $check;
}
return $encoded;
}
so you can use:
$emailAddress = encode_everything($emailAddress);
to protect an email address - although I imagine it's not a great deal of protection.
Bassie (:
06-Jan-2003 02:07
06-Jan-2003 02:07
Note that you'll have use htmlentities() before any other function who'll edit text like nl2br().
If you use nl2br() first, the htmlentities() function will change < br > to <br>.
kumar at chicagomodular.com
29-Oct-2002 03:51
29-Oct-2002 03:51
without heavy scientific analysis, this seems to work as a quick fix to making text originating from a Microsoft Word document display as HTML:
function DoHTMLEntities ($string)
{
$trans_tbl = get_html_translation_table (HTML_ENTITIES);
// MS Word strangeness..
// smart single/ double quotes:
$trans_tbl[chr(145)] = '\'';
$trans_tbl[chr(146)] = '\'';
$trans_tbl[chr(147)] = '"';
$trans_tbl[chr(148)] = '"';
// :
$trans_tbl[chr(142)] = 'é';
return strtr ($string, $trans_tbl);
}