How can I properly escape HTML form input default values in PHP?

html forms php xss

Given the following two HTML/PHP snippets:

<input type="text" name="firstname" value="<?php echo $_POST['firstname']; ?>" />

and

<textarea name="content"><?php echo $_POST['content']; ?></textarea>

what character encoding do I need to use for the echoed $_POST variables? Can I use any built-in PHP functions?

Please assume that the $_POST values have not been encoded at all yet. No magic quotes - no nothing.


Solution 1:

Use htmlspecialchars($_POST['firstname']) and htmlspecialchars($_POST['content']).

Always escape strings with htmlspecialchars() before showing them to the user.

Solution 2:

htmlspecialchars would work in both cases. Have a look at the different flag options to avoid quotation marks being a problem in the input case.

Solution 3:

Given it is kinda long I would put it in a function

<?PHP
function encodeValue ($s) {
    return htmlentities($s, ENT_COMPAT|ENT_QUOTES,'ISO-8859-1', true); 
}
?>

This has ENT_QUOTES to make sure single and double quotes are encoded, but it will also encode special characters (Like in José) instead of inserting an empty string.

Then you can do:

<input type="text" name="firstname" value="<?= encodeValue($_POST['firstname']) ?>" />

and

<textarea name="content"><?= encodeValue($_POST['content']) ?></textarea>

Related

Where can I put custom classes in ASP.NET MVC?
Mongoose.js: how to implement create or update?
Difference between Dagger and ButterKnife Android
Using git, how do you reset the working tree (local file system state) to the state of the index ("staged" files)?
How to concatenate several MvcHtmlString instances
Difference between PID and TID
What is *so* wrong with case class inheritance?
pushState: what exactly is the state object for?
How to import existing Objective C classes in Swift
How to support latex in GitHub-pages?
RxJS: How to not subscribe to initial value and/or undefined?
How to create a LINQ to SQL Transaction?