Home/ Questions/Q 8784867
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-13T21:12:41+00:00

I generate this in a view: <form method=post> <input type=hidden name=test value=<?=htmlentities(‘<>&ščé’, ENT_QUOTES, ‘UTF-8’)?>>

  • 0

I generate this in a view:

<form method="post">
       <input type="hidden" 
              name="test" 
              value="<?=htmlentities('<>"&ščé', ENT_QUOTES, 'UTF-8')?>">
       <input type="submit>
</form>

Now, should I do this when processing data from the form?

$decodedTest = html_entity_decode($_POST['test'], ENT_QUOTES, 'UTF-8');

I think that this should be allright:

$decodedTest = $_POST['test'];

But I have not found a reference to this.

EDIT: I had printed the posted value of test and I had seen that the value is not encoded. What I don’t know is If I can rely on this behaviour and why. I am asking about theory of operation. If I look into the raw post request, I can see that the post data is urlencoded (which is I guess a different type of encoding than htmlentities does). Does that mean that client must perform some recoding before sending the request. Does (client) browser store input values in encoded form or decoded form in memory before sending? (I already know that php automatically decodes urlencoded data in requests so that part is fairly clear to me).

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    You don’t really need a reference because printing htmlspecialchars($_POST['test']) (or just setting Content-Type: text/plain) will immediately reveal that the data inside $_POST is not entity-encoded.

    You also don’t need to call htmlentities to encode the data in the view — htmlspecialchars will suffice if your aim is to generate valid markup.

    • 0