var_dump or print_r and html encoding
Solution 1
I found that knittl's code does not work. I had to make some small changes to get it to work as follows:
array_walk_recursive($inputarray, function(&$v) { $v = htmlspecialchars($v); });
Now this works fine in PHP5.3+
Solution 2
While this question has an accepted answer, I think David Morrow's answer is the best/ simplest/ most practical (uses the print_r
true
flag):
echo "<pre>".htmlentities(print_r($some_array, true))."</pre>";
Never-the-less, here is another solution that uses output buffering:
<?php
ob_start();
print_r($some_array);
$buffer = ob_get_clean();
echo "<pre>".htmlentities($buffer)."</pre>";
?>
Solution 3
Or you could just save the print_r to a string and then escape it using the second parameter set to true.
$arr = array('<script>alert("hey");</script>');
$str = print_r($arr, true);
echo htmlentities($str);
outputs:
Array
(
[0] => <script>alert("hey");</script>
)
script is not executed
Solution 4
A function that works for me is described in this PHP manual comment.
His function that replaces var_dump
is implemented as:
function htmlvardump()
{
ob_start();
$var = func_get_args();
call_user_func_array('var_dump', $var);
echo htmlentities(ob_get_clean());
}
This works for me in PHP 5.3+.
(Please note that there was a typo in the original source).
Solution 5
A simple solution would be to use array_walk_recursive
:
array_walk_recursive($inputarray, function(&$v) { $v = htmlspecialchars($v); });
Average Joe
Updated on July 09, 2022Comments
-
Average Joe almost 2 years
<?php $x = array("<b>","<i>","b","i","<h1>hello</h1>"); print_r ($x); echo "<hr>"; var_dump ($x);
outputs this in the html source!
Array ( [0] => <b> [1] => <i> [2] => b [3] => i [4] => <h1>hello</h1> ) <hr>array(5) { [0]=> string(3) "<b>" [1]=> string(3) "<i>" [2]=> string(1) "b" [3]=> string(1) "i" [4]=> string(14) "<h1>hello</h1>" }
obviously, I could have been XSS'ed by that!
How can I make sure that the array values are htmlencoded? -
noob about 12 years+1 But can be done shorter with shorter function name:
htmlentities
-
knittl about 12 years@micha: shorter? It's a different function that encodes its input differently
-
Average Joe about 12 years@Knittl I'm getting this
Parse error: syntax error, unexpected T_FUNCTION in ...
when I do this $x = array("<b>","<i>","b","i","<h1>hello</h1>"); print_r ($x); echo "<hr>"; var_dump ($x); echo "<hr>"; array_walk_recursive($x, function($v) { return htmlspecialchars($v); }); -
knittl about 12 years@AverageJoe: lambda functions were only introduced recently in PHP. In older versions you have to create a separate function and pass its name as callback to
array_walk_recursive
-
knittl about 12 years@micha: "not very different" and "different" are not the same thing. I claimed it encodes its input differently (and it does). Furthermore, you usually don't want
htmlentities
(even if it saves you a few keystrokes – you can always create a wrapper functionfunction h($s) { return htmlspeciachars($s); }
or$h = 'htmlspecialchars; echo $h('somestring')
depending on your needs) -
knittl over 10 yearsYeah, now that you say it … You are totally right, my answer should work now as well. +1
-
Mike over 6 yearshtmlentities won't do line returns or consecutive spaces so you may need to wrap it in a string replace for those: str_ireplace(array("\n"," "),array("<br/>"," "),htmlentities($str));
-
Andrew about 6 yearsI used this with a slight modification to loop over the values in $var and call var_dump on each one instead of the array of arguments.