Here is an example of the workflow a user can have on my website :
-
Create a task, with content: I use
htmlentitiesto encode the content and store it in my database (yes, I’ve decided to store the encoded content); -
The user comes back later and clicks to view the task. The thing is, the preview of the content is done in a disabled textarea.
-
I tried to use
htmlentities_decodewhen printing the content in the textarea (XSS problem if the user entered bad things); -
I just print the encoded text and everything is fine.
-
-
The user clicks on EDIT, this will make the
textareaeditable -
The user clicks on SAVE.
Here is my main issue, as I didn’t decode the text before I printed it, it is still encoded and when the user saves it, it is re-encoded. So, the previous content is double encoded.
So, if the first time the user enters something like:
blablabla </textarea/> yeah!
Then, it’s encoded and the result is:
blablabla </textarea/> yeah!
Then, when I display it, it displays as the user previously entered it but if he saves it, the result is:
blablabla &lt;/textarea/&gt; yeah!
And, so, if he displays it again, it is not well displayed (and it also takes more and more space in my database as the user keeps editing his task).
Well, I am sure this is a problem a lot of people have experienced but I can’t find any good solution.
By the way, I am using htmlentities with ENT_QUOTES.
Hum,
I fixed my problem.
I didn’t noticed but for the first entry, I was using htmlentities() and when editing, I was using the Zend escape() function.
Using only htmlentities() fixed the problem. I don’t know how the escape() function of ZF works, but I won’t use it in the future :p
Thanks you for answers 🙂
Anyway, so, I am wondering, the htmlentities_decode() function, in which situation should it be used? As I htmlentities() when I get the form and print it like that, I never use the htmlentities_decode(). Is that normal? So I am wondering what is this function used for?
Thanks again!