I am storing formatted string in database using PHP. And displaying that string in td of HTML table. My sample text is like-
<font color="#0033CC"><b>water </b>releasing<i> H<sub>3</sub>O<sup>+</sup></i> ions; </font>
When displaying in td, it just displaying this raw data instead of formatted text. I have viewed the source in browser and found below data.
<td><font color="#0033CC"><b>water </b>releasing<i> H<sub>3</sub>O<sup>+</sup></i> ions; </font></td>`
That means " is replaced with " > is replaced with > and so on.
Is there any built in approach in PHP to avoid this scenario and displaying formatted text?
Thanks in advance!
You could use html_entity_decode();
<?php
$orig = 'J\'ai "sorti" le <strong>chien</strong> tout à l\'heure';
$a = htmlentities($orig);
$b = html_entity_decode($a);
echo $a; // J'ai "sorti" le <strong>chien</strong> tout &agrave; l'heure
echo $b; // J'ai "sorti" le <strong>chien</strong> tout à l'heure
?>
Actually i made the mistake during storing the data. I was using below methods to process data first. //$data = stripslashes($data); //$data = htmlspecialchars($data); after commenting these two methods resolved my problem
First, do not encode HTML special chars before saving data.
You'd better do it just before print/echo.
<?php
function h($str)
{
return htmlspecialchars($str, ENT_QUOTES, 'UTF-8');
}
$data = get_something_data_from_database();
/* More logic... */
?>
<!DOCTYPE html>
<title>Example</title>
<meta charset="UTF-8">
<div><?=h($data)?></div>
Yes, <?=h(...)?> is an idiom. ( <?=...?> is the short syntax of echo)
Or do you need to allow that users input raw HTML? Without no filtering or validation, it brings us the major vulnerability: Cross Site Scripting. You need to use HTML Purifier for this purpose.