var_dump or print_r and html encoding

php xss html-entities var-dump

26,240

Solution 1

I found that knittl's code does not work. I had to make some small changes to get it to work as follows:

array_walk_recursive($inputarray, function(&$v) { $v = htmlspecialchars($v); });

Now this works fine in PHP5.3+

Solution 2

While this question has an accepted answer, I think David Morrow's answer is the best/ simplest/ most practical (uses the print_r true flag):

echo "<pre>".htmlentities(print_r($some_array, true))."</pre>";

Never-the-less, here is another solution that uses output buffering:

<?php

ob_start();
print_r($some_array);
$buffer = ob_get_clean();
echo "<pre>".htmlentities($buffer)."</pre>";

?>

Solution 3

Or you could just save the print_r to a string and then escape it using the second parameter set to true.

$arr = array('<script>alert("hey");</script>');
$str = print_r($arr, true);
echo htmlentities($str);

outputs:

Array
(
   [0] => <script>alert("hey");</script>
)

script is not executed

Solution 4

A function that works for me is described in this PHP manual comment.

His function that replaces var_dump is implemented as:

function htmlvardump()
{
    ob_start(); 
    $var = func_get_args(); 
    call_user_func_array('var_dump', $var); 
    echo htmlentities(ob_get_clean());
 }

This works for me in PHP 5.3+.

(Please note that there was a typo in the original source).

Solution 5

A simple solution would be to use array_walk_recursive:

array_walk_recursive($inputarray, function(&$v) { $v = htmlspecialchars($v); });

View more solutions

26,240

Author by

Average Joe

Updated on July 09, 2022

Comments

Average Joe almost 2 years

<?php 

$x = array("<b>","<i>","b","i","<h1>hello</h1>");
print_r ($x);
echo "<hr>";
var_dump ($x);

outputs this in the html source!

Array
(
    [0] => <b>
    [1] => <i>
    [2] => b
    [3] => i
    [4] => <h1>hello</h1>
)
<hr>array(5) {
  [0]=>
  string(3) "<b>"
  [1]=>
  string(3) "<i>"
  [2]=>
  string(1) "b"
  [3]=>
  string(1) "i"
  [4]=>
  string(14) "<h1>hello</h1>"
}

obviously, I could have been XSS'ed by that!
How can I make sure that the array values are htmlencoded?

noob about 12 years

+1 But can be done shorter with shorter function name: htmlentities
knittl about 12 years

@micha: shorter? It's a different function that encodes its input differently
Average Joe about 12 years

@Knittl I'm getting this Parse error: syntax error, unexpected T_FUNCTION in ... when I do this $x = array("<b>","<i>","b","i","<h1>hello</h1>"); print_r ($x); echo "<hr>"; var_dump ($x); echo "<hr>"; array_walk_recursive($x, function($v) { return htmlspecialchars($v); });
knittl about 12 years

@AverageJoe: lambda functions were only introduced recently in PHP. In older versions you have to create a separate function and pass its name as callback to array_walk_recursive
knittl about 12 years

@micha: "not very different" and "different" are not the same thing. I claimed it encodes its input differently (and it does). Furthermore, you usually don't want htmlentities (even if it saves you a few keystrokes – you can always create a wrapper function function h($s) { return htmlspeciachars($s); } or $h = 'htmlspecialchars; echo $h('somestring') depending on your needs)
knittl over 10 years

Yeah, now that you say it … You are totally right, my answer should work now as well. +1
Mike over 6 years

htmlentities won't do line returns or consecutive spaces so you may need to wrap it in a string replace for those: str_ireplace(array("\n"," "),array("<br/>"," "),htmlentities($str));
Andrew about 6 years

I used this with a slight modification to loop over the values in $var and call var_dump on each one instead of the array of arguments.