Hi All,
I am applying some htmlspecialchars to strings before displaying them to the user. In theory, there are 2 situations :
1/ when the user submits a form, I display the just-entered data as plain text at the top of the next form to tell the user that their entries have been taken into account.
2/ Should the user make a mistake while filling a form, the form is displayed again with form fields ("value" parameters of input tags) prefilled so that correctly-entered data does not need retyping.
In both cases, I use the syntax echo htmlspecialchars($string) to display the data.
To simulate both cases at the same time, I have put echo htmlspecialchars($string) both into a "value" parameter of an input tag and outside this input tag, and left some mandatory fields blank to force the form to display again. The string tested is <<<<<<"<<<<<<. From the user's point of view, the string is reproduced as is in both cases. However the html output differs : where the string is plain text, the html output is <<<<<<"<<<<<< (every character is converted except the double quote), whereas where the string is the content of the "value" parameter of the input tag, the html output is <<<<<<"<<<<<< (only the double quote is converted).
I have 3 questions : 1. Since I did not use ENT_NOQUOTES, why the double quote did not get converted in the plain text situation ? (official doc : '"' (double quote) becomes '"' when ENT_NOQUOTES is not set. ). 2. Why the "less than" characters remained untouched in the input tag situation (official doc : '<' (less than) becomes '<' ). 3. Does this apparent lack of conversions bear some risks as far as the html structure of the whole page is concerned?
Thanks!
(PHP version : 5.3.25)
