I am using htmlspecialchars() on my site to display status post from users.
The status post is being saved to my database and pulled to show in their timeline.
I'm using laravel 5.3
The problem is if someone post something like: Netflix & Chill, this turns into Netflix & Chill
How can i still use htmlspecialchars() so that I can keep my site safe, but still show the proper text instead of turning even & symbol into &
On
htmlspecialchars converts a raw ASCII character into it's HTML entity. This means that they will still be rendered correctly on the page (i.e. a < symbol will still appear as < on the page), but will not have any special meaning for HTML.
Thus, in the database, they will appear as entity codes, but when rendered onto the page, users will be able to see them as the initial characters that they typed.
If you need to preserve the characters in the database (I am not sure why you would need to), you could look into replacing them with homoglyphs, as preserving their appearance in the database and the protection of your HTML is not possible if you are simply using htmlspecialchars.
It should display the proper text.
The most common reason I've seen for what you're describing is double encoding. (Passing the string through
htmlspecialcharstwice.) For example, withIf you use
echo htmlspecialchars($str), you'll see 'Netflix & Chill' in the browser. But if you useecho htmlspecialchars(htmlspecialchars($str));instead, you'll see the escaped ampersand in the browser. (If you view the page source, it's actuallyNetflix &amp; Chill.)You may be inadvertently doing this if you're using a template that escapes the output automatically. I noticed you tagged the question with Laravel, and blade templates do this. See here in the documentation:
If that's what you're using to display your data, you shouldn't use
htmlspecialcharsbefore you send the values to the template.