echo+htmlentities is not working propely?












-1















I have this code:



$title = 'Alguém';

<h1><?php echo htmlentities($title, ENT_QUOTES, 'UTF-8', false); ?></h1>


PS: this is just a example, on my current code i get the value of $title from my database.



the result that can be seen on the web page:



<h1>Alguém</h1>


And the result that can be seen on the view-source::



<h1>Algu&eacute;m</h1>


Why this happens? Am i using htmlentities correctly?






php echo html-entities







share|improve this question























  • Your example code works fine. Seems like there is some issue with the tag missmatch in php file

    – Nishant Saini
    Jan 2 at 6:29











  • When you say view source are you just saying that the source code for the html on your web page shows <h1>Algu&eacute;m</h1>?

    – Joseph_J
    Jan 2 at 6:32













  • @Joseph_J yes, the view-source:https://example.com should i worry about it?

    – Natalie
    Jan 2 at 6:33













  • @NishantSaini tag missmatch? what do you mean?

    – Natalie
    Jan 2 at 6:35











  • @Natalie Opening and closing php tags

    – Nishant Saini
    Jan 2 at 6:36


















-1















I have this code:



$title = 'Alguém';

<h1><?php echo htmlentities($title, ENT_QUOTES, 'UTF-8', false); ?></h1>


PS: this is just a example, on my current code i get the value of $title from my database.



the result that can be seen on the web page:



<h1>Alguém</h1>


And the result that can be seen on the view-source::



<h1>Algu&eacute;m</h1>


Why this happens? Am i using htmlentities correctly?






php echo html-entities







share|improve this question























  • Your example code works fine. Seems like there is some issue with the tag missmatch in php file

    – Nishant Saini
    Jan 2 at 6:29











  • When you say view source are you just saying that the source code for the html on your web page shows <h1>Algu&eacute;m</h1>?

    – Joseph_J
    Jan 2 at 6:32













  • @Joseph_J yes, the view-source:https://example.com should i worry about it?

    – Natalie
    Jan 2 at 6:33













  • @NishantSaini tag missmatch? what do you mean?

    – Natalie
    Jan 2 at 6:35











  • @Natalie Opening and closing php tags

    – Nishant Saini
    Jan 2 at 6:36
















-1












-1








-1








I have this code:



$title = 'Alguém';

<h1><?php echo htmlentities($title, ENT_QUOTES, 'UTF-8', false); ?></h1>


PS: this is just a example, on my current code i get the value of $title from my database.



the result that can be seen on the web page:



<h1>Alguém</h1>


And the result that can be seen on the view-source::



<h1>Algu&eacute;m</h1>


Why this happens? Am i using htmlentities correctly?






php echo html-entities







share|improve this question














I have this code:



$title = 'Alguém';

<h1><?php echo htmlentities($title, ENT_QUOTES, 'UTF-8', false); ?></h1>


PS: this is just a example, on my current code i get the value of $title from my database.



the result that can be seen on the web page:



<h1>Alguém</h1>


And the result that can be seen on the view-source::



<h1>Algu&eacute;m</h1>


Why this happens? Am i using htmlentities correctly?






php echo html-entities




php echo html-entities






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked Jan 2 at 6:13









NatalieNatalie

727




727













  • Your example code works fine. Seems like there is some issue with the tag missmatch in php file

    – Nishant Saini
    Jan 2 at 6:29











  • When you say view source are you just saying that the source code for the html on your web page shows <h1>Algu&eacute;m</h1>?

    – Joseph_J
    Jan 2 at 6:32













  • @Joseph_J yes, the view-source:https://example.com should i worry about it?

    – Natalie
    Jan 2 at 6:33













  • @NishantSaini tag missmatch? what do you mean?

    – Natalie
    Jan 2 at 6:35











  • @Natalie Opening and closing php tags

    – Nishant Saini
    Jan 2 at 6:36





















  • Your example code works fine. Seems like there is some issue with the tag missmatch in php file

    – Nishant Saini
    Jan 2 at 6:29











  • When you say view source are you just saying that the source code for the html on your web page shows <h1>Algu&eacute;m</h1>?

    – Joseph_J
    Jan 2 at 6:32













  • @Joseph_J yes, the view-source:https://example.com should i worry about it?

    – Natalie
    Jan 2 at 6:33













  • @NishantSaini tag missmatch? what do you mean?

    – Natalie
    Jan 2 at 6:35











  • @Natalie Opening and closing php tags

    – Nishant Saini
    Jan 2 at 6:36



















Your example code works fine. Seems like there is some issue with the tag missmatch in php file

– Nishant Saini
Jan 2 at 6:29





Your example code works fine. Seems like there is some issue with the tag missmatch in php file

– Nishant Saini
Jan 2 at 6:29













When you say view source are you just saying that the source code for the html on your web page shows <h1>Algu&eacute;m</h1>?

– Joseph_J
Jan 2 at 6:32







When you say view source are you just saying that the source code for the html on your web page shows <h1>Algu&eacute;m</h1>?

– Joseph_J
Jan 2 at 6:32















@Joseph_J yes, the view-source:https://example.com should i worry about it?

– Natalie
Jan 2 at 6:33







@Joseph_J yes, the view-source:https://example.com should i worry about it?

– Natalie
Jan 2 at 6:33















@NishantSaini tag missmatch? what do you mean?

– Natalie
Jan 2 at 6:35





@NishantSaini tag missmatch? what do you mean?

– Natalie
Jan 2 at 6:35













@Natalie Opening and closing php tags

– Nishant Saini
Jan 2 at 6:36







@Natalie Opening and closing php tags

– Nishant Saini
Jan 2 at 6:36














2 Answers
2






active

oldest

votes


















1














Your code is working correctly. htmlentities converts html entities into a defined series of characters that your browser can interpret as the entity you want to display in your browser. This is done to prevent malicious code from being run in your script.



As an example:



Without html entities being used this line of code will actually work. Your browser sees the line of code as:



<script>alert("I just hacked your html")</script>


When you sanitize that same line of code with htmlentities() it replaces all of the entities with the defined series of character representations that the browser interprets as the entity. So this is what gets outputted to the browser.



&lt;script&gt;alert(&quot;I just hacked your html&quot;)&lt;


This script will not get ran as javascript in your browser.



Here is a link that you can read that will give you some additional information. There is plenty of information on google that outlines this.



html entities



Here is a list of html entities:
Entity list



Hope that helps.






share|improve this answer
























  • Why htmlentities() would replace words with accents (áàéèâêã...etc)?

    – Natalie
    Jan 2 at 6:54











  • Because they are defined character representations for those characters. This is done out of necessity due to the different encoding options(character sets) that are used. It's an attempt to standardize a wide variety of possible characters that might be used. I would do some reading on it, htmlentities() is doings it's job to help mitigate risk.

    – Joseph_J
    Jan 2 at 6:58








  • 1





    Food for thought: A lot of people run htmlentities() or similar functions to thier data prior to moving the data to their database. I recommend not running these functions prior to your database options. If you properly use parameterized queries to query the database your raw data will sit in your database without issue. Then all you have to do is make sure you sanitize your data after you retrieve it from the database. This can easily be done in the function that retrieves that data. From that point on you don't have to worry about anything that is displayed to the user.

    – Joseph_J
    Jan 2 at 7:15





















0














echo htmlentities($title, ENT_QUOTES);






share|improve this answer



















  • 1





    There is no difference in the output between this and the OP code.

    – Joseph_J
    Jan 2 at 6:30











Your Answer






StackExchange.ifUsing("editor", function () {
StackExchange.using("externalEditor", function () {
StackExchange.using("snippets", function () {
StackExchange.snippets.init();
});
});
}, "code-snippets");

StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "1"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});














draft saved

draft discarded


















StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f54002001%2fechohtmlentities-is-not-working-propely%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown

























2 Answers
2






active

oldest

votes








2 Answers
2






active

oldest

votes









active

oldest

votes






active

oldest

votes









1














Your code is working correctly. htmlentities converts html entities into a defined series of characters that your browser can interpret as the entity you want to display in your browser. This is done to prevent malicious code from being run in your script.



As an example:



Without html entities being used this line of code will actually work. Your browser sees the line of code as:



<script>alert("I just hacked your html")</script>


When you sanitize that same line of code with htmlentities() it replaces all of the entities with the defined series of character representations that the browser interprets as the entity. So this is what gets outputted to the browser.



&lt;script&gt;alert(&quot;I just hacked your html&quot;)&lt;


This script will not get ran as javascript in your browser.



Here is a link that you can read that will give you some additional information. There is plenty of information on google that outlines this.



html entities



Here is a list of html entities:
Entity list



Hope that helps.






share|improve this answer
























  • Why htmlentities() would replace words with accents (áàéèâêã...etc)?

    – Natalie
    Jan 2 at 6:54











  • Because they are defined character representations for those characters. This is done out of necessity due to the different encoding options(character sets) that are used. It's an attempt to standardize a wide variety of possible characters that might be used. I would do some reading on it, htmlentities() is doings it's job to help mitigate risk.

    – Joseph_J
    Jan 2 at 6:58








  • 1





    Food for thought: A lot of people run htmlentities() or similar functions to thier data prior to moving the data to their database. I recommend not running these functions prior to your database options. If you properly use parameterized queries to query the database your raw data will sit in your database without issue. Then all you have to do is make sure you sanitize your data after you retrieve it from the database. This can easily be done in the function that retrieves that data. From that point on you don't have to worry about anything that is displayed to the user.

    – Joseph_J
    Jan 2 at 7:15


















1














Your code is working correctly. htmlentities converts html entities into a defined series of characters that your browser can interpret as the entity you want to display in your browser. This is done to prevent malicious code from being run in your script.



As an example:



Without html entities being used this line of code will actually work. Your browser sees the line of code as:



<script>alert("I just hacked your html")</script>


When you sanitize that same line of code with htmlentities() it replaces all of the entities with the defined series of character representations that the browser interprets as the entity. So this is what gets outputted to the browser.



&lt;script&gt;alert(&quot;I just hacked your html&quot;)&lt;


This script will not get ran as javascript in your browser.



Here is a link that you can read that will give you some additional information. There is plenty of information on google that outlines this.



html entities



Here is a list of html entities:
Entity list



Hope that helps.






share|improve this answer
























  • Why htmlentities() would replace words with accents (áàéèâêã...etc)?

    – Natalie
    Jan 2 at 6:54











  • Because they are defined character representations for those characters. This is done out of necessity due to the different encoding options(character sets) that are used. It's an attempt to standardize a wide variety of possible characters that might be used. I would do some reading on it, htmlentities() is doings it's job to help mitigate risk.

    – Joseph_J
    Jan 2 at 6:58








  • 1





    Food for thought: A lot of people run htmlentities() or similar functions to thier data prior to moving the data to their database. I recommend not running these functions prior to your database options. If you properly use parameterized queries to query the database your raw data will sit in your database without issue. Then all you have to do is make sure you sanitize your data after you retrieve it from the database. This can easily be done in the function that retrieves that data. From that point on you don't have to worry about anything that is displayed to the user.

    – Joseph_J
    Jan 2 at 7:15
















1












1








1







Your code is working correctly. htmlentities converts html entities into a defined series of characters that your browser can interpret as the entity you want to display in your browser. This is done to prevent malicious code from being run in your script.



As an example:



Without html entities being used this line of code will actually work. Your browser sees the line of code as:



<script>alert("I just hacked your html")</script>


When you sanitize that same line of code with htmlentities() it replaces all of the entities with the defined series of character representations that the browser interprets as the entity. So this is what gets outputted to the browser.



&lt;script&gt;alert(&quot;I just hacked your html&quot;)&lt;


This script will not get ran as javascript in your browser.



Here is a link that you can read that will give you some additional information. There is plenty of information on google that outlines this.



html entities



Here is a list of html entities:
Entity list



Hope that helps.






share|improve this answer













Your code is working correctly. htmlentities converts html entities into a defined series of characters that your browser can interpret as the entity you want to display in your browser. This is done to prevent malicious code from being run in your script.



As an example:



Without html entities being used this line of code will actually work. Your browser sees the line of code as:



<script>alert("I just hacked your html")</script>


When you sanitize that same line of code with htmlentities() it replaces all of the entities with the defined series of character representations that the browser interprets as the entity. So this is what gets outputted to the browser.



&lt;script&gt;alert(&quot;I just hacked your html&quot;)&lt;


This script will not get ran as javascript in your browser.



Here is a link that you can read that will give you some additional information. There is plenty of information on google that outlines this.



html entities



Here is a list of html entities:
Entity list



Hope that helps.







share|improve this answer












share|improve this answer



share|improve this answer










answered Jan 2 at 6:42









Joseph_JJoseph_J

3,2732621




3,2732621













  • Why htmlentities() would replace words with accents (áàéèâêã...etc)?

    – Natalie
    Jan 2 at 6:54











  • Because they are defined character representations for those characters. This is done out of necessity due to the different encoding options(character sets) that are used. It's an attempt to standardize a wide variety of possible characters that might be used. I would do some reading on it, htmlentities() is doings it's job to help mitigate risk.

    – Joseph_J
    Jan 2 at 6:58








  • 1





    Food for thought: A lot of people run htmlentities() or similar functions to thier data prior to moving the data to their database. I recommend not running these functions prior to your database options. If you properly use parameterized queries to query the database your raw data will sit in your database without issue. Then all you have to do is make sure you sanitize your data after you retrieve it from the database. This can easily be done in the function that retrieves that data. From that point on you don't have to worry about anything that is displayed to the user.

    – Joseph_J
    Jan 2 at 7:15





















  • Why htmlentities() would replace words with accents (áàéèâêã...etc)?

    – Natalie
    Jan 2 at 6:54











  • Because they are defined character representations for those characters. This is done out of necessity due to the different encoding options(character sets) that are used. It's an attempt to standardize a wide variety of possible characters that might be used. I would do some reading on it, htmlentities() is doings it's job to help mitigate risk.

    – Joseph_J
    Jan 2 at 6:58








  • 1





    Food for thought: A lot of people run htmlentities() or similar functions to thier data prior to moving the data to their database. I recommend not running these functions prior to your database options. If you properly use parameterized queries to query the database your raw data will sit in your database without issue. Then all you have to do is make sure you sanitize your data after you retrieve it from the database. This can easily be done in the function that retrieves that data. From that point on you don't have to worry about anything that is displayed to the user.

    – Joseph_J
    Jan 2 at 7:15



















Why htmlentities() would replace words with accents (áàéèâêã...etc)?

– Natalie
Jan 2 at 6:54





Why htmlentities() would replace words with accents (áàéèâêã...etc)?

– Natalie
Jan 2 at 6:54













Because they are defined character representations for those characters. This is done out of necessity due to the different encoding options(character sets) that are used. It's an attempt to standardize a wide variety of possible characters that might be used. I would do some reading on it, htmlentities() is doings it's job to help mitigate risk.

– Joseph_J
Jan 2 at 6:58







Because they are defined character representations for those characters. This is done out of necessity due to the different encoding options(character sets) that are used. It's an attempt to standardize a wide variety of possible characters that might be used. I would do some reading on it, htmlentities() is doings it's job to help mitigate risk.

– Joseph_J
Jan 2 at 6:58






1




1





Food for thought: A lot of people run htmlentities() or similar functions to thier data prior to moving the data to their database. I recommend not running these functions prior to your database options. If you properly use parameterized queries to query the database your raw data will sit in your database without issue. Then all you have to do is make sure you sanitize your data after you retrieve it from the database. This can easily be done in the function that retrieves that data. From that point on you don't have to worry about anything that is displayed to the user.

– Joseph_J
Jan 2 at 7:15







Food for thought: A lot of people run htmlentities() or similar functions to thier data prior to moving the data to their database. I recommend not running these functions prior to your database options. If you properly use parameterized queries to query the database your raw data will sit in your database without issue. Then all you have to do is make sure you sanitize your data after you retrieve it from the database. This can easily be done in the function that retrieves that data. From that point on you don't have to worry about anything that is displayed to the user.

– Joseph_J
Jan 2 at 7:15















0














echo htmlentities($title, ENT_QUOTES);






share|improve this answer



















  • 1





    There is no difference in the output between this and the OP code.

    – Joseph_J
    Jan 2 at 6:30
















0














echo htmlentities($title, ENT_QUOTES);






share|improve this answer



















  • 1





    There is no difference in the output between this and the OP code.

    – Joseph_J
    Jan 2 at 6:30














0












0








0







echo htmlentities($title, ENT_QUOTES);






share|improve this answer













echo htmlentities($title, ENT_QUOTES);







share|improve this answer












share|improve this answer



share|improve this answer










answered Jan 2 at 6:21









joslin selva cjoslin selva c

113




113








  • 1





    There is no difference in the output between this and the OP code.

    – Joseph_J
    Jan 2 at 6:30














  • 1





    There is no difference in the output between this and the OP code.

    – Joseph_J
    Jan 2 at 6:30








1




1





There is no difference in the output between this and the OP code.

– Joseph_J
Jan 2 at 6:30





There is no difference in the output between this and the OP code.

– Joseph_J
Jan 2 at 6:30


















draft saved

draft discarded




















































Thanks for contributing an answer to Stack Overflow!


  • Please be sure to answer the question. Provide details and share your research!

But avoid



  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.


To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f54002001%2fechohtmlentities-is-not-working-propely%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







-

Popular posts from this blog

Mossoró

Image
  Nota: Para outros significados, veja Mossoró (desambiguação). Município de Mossoró "Capital do Oeste Potiguar" [ 1 ] "Capital nacional do Semiárido" [ 2 ] [ 3 ] "Capital Cultural do Rio Grande do Norte" [ 1 ] "Terra de Santa Luzia" [ 4 ] "Terra do Sol, do Sal e do Petróleo" [ 5 ] "Terra da Liberdade [ 6 ] " Centro de Mossoró, com a Praça Vigário Antônio Joaquim e, ao fundo, a câmara municipal de vereadores (esquerda) e Catedral de Santa Luzia (direita) Bandeira Brasão Hino Fundação 15 de março de 1852 (166 anos) Gentílico mossoroense Padroeiro(a) Santa Luzia Prefeito(a) Rosalba Ciarlini Rosado (PP) (2017 – 2020 ) Localização Localização de Mossoró no Rio Grande do Norte Mossoró Localização de Mossoró no Brasil 05° 11' 16" S 37° 20' 38" O 05° 11' 16" S 37° 20' 38" O Unidade federativa Rio Grande do No...
Read more

Error while reading .h5 file using the rhdf5 package in R

Image
0 I'm importing a .h5 file into R by using the rhdf5 package. But a warning message showed and I found the DATE_TIME column of my data is NA when I view the imported file. Warning message: In H5Dread(h5dataset = h5dataset, h5spaceFile = h5spaceFile, h5spaceMem = h5spaceMem, : h5read for type 'TIME' not yet implemented. Values replaced by NA's. It's all normal when I use Vitables (Python) to open the .h5 file. But the DATE_TIME column is NA with HDFViewer open it. My code is: library(rhdf5) test <- h5read("mytestdata.h5", "/results") View(mydatatest) I want to use R to open .h5 file. Please give me some help! Thanks in advance! r hdf5 rhdf5 ...
Read more

Pushsharp Apns notification error: 'InvalidToken'

Image
1 1 I am currently working on automatic updates for Passbook (wallet) tickets and am experiencing some trouble using the Pushsharp library by Redth. I am using a Push notification certificate from the apple developer portal. I have tried to export my certificate as .p12, .pem and tried to use only the private key as .12 or .pem but nothing works. This is my full certificate (information is blanked out for security reasons): https://cdn.pbrd.co/images/HUJtb7b.png I dont have enough reputation to post images so a link is all i can provide. var succeeded = 0; var failed = 0; var attempted = 0; var config = new ApnsConfiguration(ApnsConfiguration.ApnsServerEnvironment.Sandbox, ConfigManager.CertPath + "PushCertificateV2.p12", ConfigManager.lvppass, fa...
Read more