Html,PHP - Escape '<' and '>' Symbols While Echoing

HTML,PHP - Escape ' ' and ' ' symbols while echoing

Use htmlspecialchars.

<?php
    echo htmlspecialchars("abc & < >");
?>

Escape character in php with echo

You can try the following instead:

echo '<button type="button" id="add" onClick="addAsset(\''.$filename.'\');"> '.$filename.' </button>';

So, instead of escaping " double quote. we are escaping ' single quote. Which will be more clear when reading the html output.

Edit: Better approach would be to write html blocks outside of php blocks like the following:

<?php 
//Your PHP COde
?>
<button type="button" id="add" onClick="addAsset('<?= $filename ?>');"><?= $filename ?></button>
<?php 
//More PHP COde
?>

As you can see it will be more readable and no escaping would be required. And as you might notice this uses <?= $filename ?>, that is just short for <?php echo $filename ; ?>. Learn more about all this in Escaping from HTML

Edit 2: Also, as @deceze have suggested wht if variable $filename might contain quote or some thing you can use the htmlentities() for that, it will protect you against XSS if the values of filename
is an input from user. you can use it like below:

<button type="button" id="add" onClick="addAsset('<?= htmlentities($filename) ?>');"><?= htmlentities($filename) ?></button>

Also, check @deceze's Answer below for better understanding of how to protect your code from xss, in this particualr situation.

using batch echo with special characters

You can escape shell metacharacters with ^:

echo ^<?xml version="1.0" encoding="utf-8" ?^> > myfile.xml

Note that since echo is a shell built-in it doesn't follow the usual conventions regarding quoting, so just quoting the argument will output the quotes instead of removing them.

HTML,PHP - Escape ' ' and ' ' symbols while echoing

Use htmlspecialchars.

<?php
    echo htmlspecialchars("abc & < >");
?>

Escape when echoed

According to the developer documents, everything must be escaped for security reasons. Here are the escaping function WordPress provides for different data:

esc_attr()      // Use on everything else that’s printed into an HTML element’s attribute.
esc_html()      // Use anytime an HTML element encloses a section of data being displayed. This WILL NOT display HTML content, it is meant for being used inside HTML and will remove your HTML.
esc_js()        // Use for inline Javascript.
esc_textarea()  // Use this to encode text for use inside a textarea element.
esc_url()       // Use on all URLs, including those in the src and href attributes of an HTML element.
esc_url_raw()   // Use when storing a URL in the database or in other cases where non-encoded URLs are needed.
wp_kses()       // Use to safely escape for all non-trusted HTML (post text, comment text, etc.)
wp_kses_post()  // Alternative version of wp_kses() that automatically allows all HTML that is permitted in post content.
wp_kses_data()  // Alternative version of wp_kses() that allows only the HTML permitted in post comments.

Here is the official documentation if you want to read more into it.

https://developer.wordpress.org/plugins/security/securing-output/

How to display HTML tags as plain text

Replace < with < and > with >.

php - no need to escape variables when echoing?

When you put a variable inside double quotes it will resolve the value. This has always been the case.

So:

echo "<li> $key - $value</li>";

And

echo "<li>" . $key . " - " .  $value . "</li>";

Will give you the same result.

php echo iframe escape characters

You need to escape double quotes using backslashes, or you can use single quotes as well.

In your version, the if block is absolutely fine. Similar to that you need to correct the else block as well by escaping double quotes \" like shown here,

$youtube = $_SESSION['SESS_YOUTUBE'];
if($_SESSION['SESS_YOUTUBE'] == '') {
     print "<div class=\"someClass\">Some Text Here</div>";
}
else {
     print "<iframe id=\"player\" width=\"425\" height=\"350\" src=\"http://www.youtube.com/embed/$youtube\" frameborder=\"0\"></iframe>";
}

Using single quotes:

$youtube = $_SESSION['SESS_YOUTUBE'];
if($_SESSION['SESS_YOUTUBE'] == '') {
     print '<div class="someClass">Some Text Here</div>';
}
else {
     print '<iframe id="player" width="425" height="350" src="http://www.youtube.com/embed/$youtube" frameborder="0"></iframe>';
}

Replace tabs and spaces with a single space as well as carriage returns and newlines with a single newline

First, I'd like to point out that new lines can be either \r, \n, or \r\n depending on the operating system.

My solution:

echo preg_replace('/[ \t]+/', ' ', preg_replace('/[\r\n]+/', "\n", $string));

Which could be separated into 2 lines if necessary:

$string = preg_replace('/[\r\n]+/', "\n", $string);
echo preg_replace('/[ \t]+/', ' ', $string);

Update:

An even better solutions would be this one:

echo preg_replace('/[ \t]+/', ' ', preg_replace('/\s*$^\s*/m', "\n", $string));

Or:

$string = preg_replace('/\s*$^\s*/m', "\n", $string);
echo preg_replace('/[ \t]+/', ' ', $string);

I've changed the regular expression that makes multiple lines breaks into a single better. It uses the "m" modifier (which makes ^ and $ match the start and end of new lines) and removes any \s (space, tab, new line, line break) characters that are a the end of a string and the beginning of the next. This solve the problem of empty lines that have nothing but spaces. With my previous example, if a line was filled with spaces, it would have skipped an extra line.

How should I echo a PHP string variable that contains special characters?

This will prevent your tags from being broken by the echo:

<?php echo htmlentities($message); ?>

---

Related Topics