[nycphp-talk] htmlentities charset bug
csnyder
chsnyder at gmail.com
Wed Jan 23 14:25:33 EST 2008
On Jan 23, 2008 1:43 PM, John Campbell <jcampbell1 at gmail.com> wrote:
> Also, why are you using htmlhentities? It is a useless function. If
> you want to escape html, the correct function is htmlspecialchars.
> Htmlentities should never be used... it is slower, adds no security
> benefit, and it unnecessarily makes the data unreadable.
Interesting advice.
The difference between them is that htmlentities() escapes everything,
whereas htmlspecialchars() only escapes &, ", ', <, and >.
So what you're saying is that if an em dash or a smart quote or a
multibyte character exists in the content, it should be delivered to
the browser unescaped--or at least, there's no benefit to escaping it.
Do your pages validate? What happens in browsers that don't support
the characters you're sending? What happens in systems (such as RSS
feed processors) that don't support multibyte characters?
You may be right, and the use of htmlentities() may be old school,
like using web-safe colors. But if so it's not exactly conventional
wisdom, yet.
--
Chris Snyder
http://chxo.com/
More information about the talk
mailing list