Suppose I have something like this: if ($command === ‘txt’) { header(‘Content-type: text/plain;charset=utf-8’); echo

Question

0

Asked: June 1, 20262026-06-01T11:50:54+00:00 2026-06-01T11:50:54+00:00

Suppose I have something like this: if ($command === ‘txt’) { header(‘Content-type: text/plain;charset=utf-8’); echo

0

Suppose I have something like this:

if ($command === 'txt') {
    header('Content-type: text/plain;charset=utf-8');
    echo $result;
    exit();
} else ($command === 'js') {
    $json = array( $result );
    header('Content-type: text/javascript;charset=utf-8');
    echo $callback . '(' . substr(json_encode($json), 1, -1) . ');';
    exit();
}

Can I use htmlspecialchars on the echo statements, it messes it up if it’s interpret as html, on the other hand does not having them leave the risk that someone may try doing an xss attack if the browser does interpret it as html.

What should I do? Should I not worry and not htmlspecialchars?

Report

Leave an answer
Cancel reply

You must login to add an answer.

Need An Account,

1 Answer

Editorial Team · Answer 1 · 2026-06-01T11:50:56+00:00

Editorial Team

2026-06-01T11:50:56+00:00Added an answer on June 1, 2026 at 11:50 am

No, you should not use htmlspecialchars. Neither of those would make sense, since htmlspecialchars is intended to avoid HTML injection. However, if you use JSON, your client code needs to take care how it uses the returned value.

For instance, injecting it into innerHTML would not be safe.

0

Reply
Share
Share

- Report

Sign Up

Sign In

Forgot Password

The Archive Base Latest Questions

Suppose I have something like this: if ($command === ‘txt’) { header(‘Content-type: text/plain;charset=utf-8’); echo

Leave an answerCancel reply

1 Answer

Leave an answer
Cancel reply