[nycphp-talk] Form action submission trickery
John Campbell
jcampbell1 at gmail.com
Fri Nov 30 16:01:41 EST 2007
> Which begs the question htmlspecialcharacters or htmlentities. I err on the
> side of caution, using a single escaping function, to be consistent, that
> calls htmlentities with the appropriate character set and ENT_QUOTES.
I have always just used htmlspecialchars. htmlentities feels like a
bad idea if your content is primarily non-roman characters. The html
would be unreadable, and I suspect there would be a noticeable
performance hit. The goal is to prevent content from being treated as
code, which is exactly what htmlspecialchars does. I don't bother to
specify the character set, because it only really matters for
htmlspecialchars if you are using something bizarre like BIG5 or
UTF-16/32. UTF-8 and ISO-8859-* are the same for all relevant
characters. If you specify UTF-8, php will check to see if the string
is valid UTF-8 which is unnecessary.
-john c.
More information about the talk
mailing list