I have been using addslahes(). But this escapes database characters. However I need to escape HTML characters as in this environment below:
Or a better idea, I plan to not use document.write() and simply use .innerHTML. Would I need to escape at all if I don’t write to the window?
Currently I use document.write() and if I take out addslashes()..then the code breaks as the browser reads the next apostrophe as closing the input string.
Is there a similar function to addslashes() but for browser data as opposed to database data?
PHP generated(inside the page:
<?php
$Object = new ObjectMaker();
$ObjectTweet=$Object->makeTweetSmall();
$ObjectTweet->pageInsert();
?>
The function called
public function pageInsert()
{
$resultArray=$this->DatabaseObject->_pdoQuery('multiple', 'tweet_model');
$resultAml = MarkTweet::up($resultArray);
$resultAml = addslashes($resultAml); // this is a hack that does not work / do it correctly
$embeddedAml = "<script type='text/javascript'>document.write(Arc.ViewHTweet('" . $resultAml . "'))</script>";
Control::send($embeddedAml);
}
HTML/ Embedded Javascript Output
<script type='text/javascript'>document.write(Arc.ViewHTweet(
'1|Test Account|1329782549|1329782546|\\\'||1|Test
Account|1329782549|1329782544|\\\\||1|Test
Account|1329782549|1329782540|hi||1|Test
Account|1329782549|1329781792|\\\'||1|Test
Account|1329782549|1329781707|hi\\\\||1|Test
Account|1329782549|1329781701|/||1|Test
Account|1329782549|1329781675|<a class=\'bookmark_tweet\' target=\'_blank\' href=\'http://bing.com\'>hi\\\\</a>'
))</script>
Addslashes is only useful for DB queries. For browser output, you need encoding:
PHP’s htmlspecialchars():
https://www.php.net/manual/en/function.htmlspecialchars.php