How can I properly escape HTML form input default values in PHP?

php html forms xss

103,382

Solution 1

Use htmlspecialchars($_POST['firstname']) and htmlspecialchars($_POST['content']).

Always escape strings with htmlspecialchars() before showing them to the user.

Solution 2

htmlspecialchars would work in both cases. Have a look at the different flag options to avoid quotation marks being a problem in the input case.

Solution 3

Given it is kinda long I would put it in a function

<?PHP
function encodeValue ($s) {
    return htmlentities($s, ENT_COMPAT|ENT_QUOTES,'ISO-8859-1', true); 
}
?>

This has ENT_QUOTES to make sure single and double quotes are encoded, but it will also encode special characters (Like in José) instead of inserting an empty string.

Then you can do:

<input type="text" name="firstname" value="<?= encodeValue($_POST['firstname']) ?>" />

and

<textarea name="content"><?= encodeValue($_POST['content']) ?></textarea>

103,382

Author by

Ryan

Updated on June 16, 2021

Comments

Ryan almost 3 years
Given the following two HTML/PHP snippets:
```
<input type="text" name="firstname" value="<?php echo $_POST['firstname']; ?>" />
```
and
```
<textarea name="content"><?php echo $_POST['content']; ?></textarea>
```
what character encoding do I need to use for the echoed $_POST variables? Can I use any built-in PHP functions?

Please assume that the $_POST values have not been encoded at all yet. No magic quotes - no nothing.
PJ Brunet over 12 years

However, htmlspecialchars() won't help you with value='single quotes' This is what happens: value='We're not using this in our "code"...' All you see is We
Your Common Sense over 12 years

so, don't use single quotes in values. or use ENT_QUOTES modifier. not a big deal
Jordan Eldredge over 11 years

Note: It is important to use double quotes for the value attribute in <input> tags.
Jordan Eldredge over 11 years

Unless you specify ENT_QUOTES as the second htmlspecialchars() argument, single quotes will not be escaped. Therefore any single quotes present in your $_POST value will break out of the <input> field.
Jordan Eldredge over 11 years

@YourCommonSense Presumably post data is coming from the user, so "don't use single quotes in values" is not terribly helpful advice. Using ENT_QUOTES is the correct solution, but remembering to do so could be a "big deal".
Brainware almost 11 years

Note: Don't be tempted to use htmlentities(). That breaks UTF-8 characters. As rid said, use htmlspecialchars().
GoTo over 9 years

if you don't use ENT_QUOTES parameter then single quotes are not escaped. This is not a problem if in the input tag you define the value parameter as value="double quotes". The double quotes are escaped in the user provided string and the part with value="... is provided by the server.
Noumenon over 8 years

@Brainware Even now that htmlentities() defaults to UTF-8?
kta over 7 years

that's the output escaping. User wanted to know input escaping.
Sander Visser about 5 years

ENT_QUOTES only would be enough to escape both double and single.
ToolmakerSteve about 5 years

Not clear why this answer specifies ISO-8859-1 rather than the more commonly used today, default, value UTF-8. If in doubt, start with simpler return htmlentities($s, ENT_QUOTES);
Eric almost 5 years

@ToolmakerSteve, why IOS-8859-1 vs UTF-8 because that is what worked and I never tested UTF-8. Welcome some investigation there. Just using ENT_QUOTES does not work for characters with accents and will screw up names.