Why Are Escape Characters Being Added to the Value of the Hidden Input

  • Home
  • Languages
  • PHP
  • Why Are Escape Characters Being Added to the Value of the Hidden Input

Why are escape characters being added to the value of the hidden input

Check whether your PHP configuration has magic_quotes_gpc activated, in such case the PHP server automatically adds slashes to GET/POST/cookie values...

Do escape value of hidden input

addslashes is a generic routine for escaping content for languages that use the \ character to start an escape sequence. HTML is not such a language, and most languages that are have a better, more specific function to handle escaping.

Use htmlspecialchars, not addslashes to escape content for HTML.

Since the attribute value contains spaces, you also need to wrap it in quote characters.

echo "<input type='hidden' value=\"".htmlspecialchars($text)."\" name='saveCard[]'>";

As a rule of thumb, try to avoid putting HTML inside PHP strings.

?>
    <input 
        type="hidden"
        value="<?php echo htmlspecialchars($text); ?>" 
        name="saveCard[]">
<?php

while assigning value to asp hidden field, escape character gets cleared

I have resolved issue by using following code.

 string jsonString = Convert.ToString(Page.Request.QueryString["searchdata"]);
jsonString = HttpUtility.UrlDecode(jsonString);
// Here I am getting following json string
// {"StartDate":"\/Date(1436466600000)\/","EndDate":"\/Date(1439145000000)\/","ClassType":0,"InstructorID":0}
// By using following line I have corrected json string and now it is being deserialized to object.
jsonString = jsonString.Replace("/", "\\/");
JavaScriptSerializer oJS = new JavaScriptSerializer();
ChartSearchCriteria oRootObject = new ChartSearchCriteria();
oRootObject = oJS.Deserialize<ChartSearchCriteria>(jsonString);

String is saved wierdly in html hidden input

Problem is with the way you're saving the string, you have to switch the type of quotes you use otherwise js doesn't know where the string ends and starts.

In your question it would look like this:

String productIDs = "[{'productID':'226167','productName':'It is my life (Bingo)'},{'productID':'3193','productName':'It is your name (jingo)'},{'productID':'273838','productName':'It's the same milk/Butter i drink/ate yesterday'}]"

You can also use \" instead of ' but that, to me, is alot more confusing.

Edit

You can do this using the following code:

strUWantToChange.replace('"',"'");

PHP, why do you escape my quotes?

Turn magic_quotes off in PHP.ini.

HTML-encoding lost when attribute read from input field

EDIT: This answer was posted a long ago, and the htmlDecode function introduced a XSS vulnerability. It has been modified changing the temporary element from a div to a textarea reducing the XSS chance. But nowadays, I would encourage you to use the DOMParser API as suggested in other anwswer.

I use these functions:

function htmlEncode(value){
  // Create a in-memory element, set its inner text (which is automatically encoded)
  // Then grab the encoded contents back out. The element never exists on the DOM.
  return $('<textarea/>').text(value).html();
}

function htmlDecode(value){
  return $('<textarea/>').html(value).text();
}

Basically a textarea element is created in memory, but it is never appended to the document.

On the htmlEncode function I set the innerText of the element, and retrieve the encoded innerHTML; on the htmlDecode function I set the innerHTML value of the element and the innerText is retrieved.

Check a running example here.

Do hidden input fields have to be escaped in ColdFusion?

The goal of escaping in this case is to keep the HTML well formed so yes - hidden vars need to be escaped (or encoded) as well. I usually use urlencodedformat() for this. Consider what would happen if the value you were placing in the hidden var were a variable like this:

<cfset form.fullname= 'Bob "the tiger" Johnson'/>

<input type="hidden" name="fullname" value="#form.fullname#"/>

The output would actually look like this:

<input type="hidden" name="fullname" value="Bob "the Tiger" Johnson"/>

This would mean your hidden var would come through as "Bob " ... and the rest would be lost. The situation might get worse if any part of your strings contain HTML or slashes or angle brackets.


Related Topics

Session_Start() Creates New Session Every Refresh

PHP Method="Post" Stopped Working After I Added This .Htaccess... Why

PHP Echo Inside Echo

PHP Preg_Match - Only Allow Alphanumeric Strings and - _ Characters

Find Duplicate Value in Multi-Dimensional Array

Ajax/PHP - How to Get Posted Data to Load into a Modal on the Same Page

Displaying Multiple Lines of a File, Never Repeating

Woocommerce Cart - Conditional Items Categories Validation

Php: Type Hinting - Difference Between 'Closure' and 'Callable'

PHP Upload and Resize Image

PHP SQL Select Where Like Search Item with Multiple Words

PHP Adds Keys to Decoded and Then Encoded JSON Data

Getting Data Posted in Between Two Dates

Asynchronous Processing or Message Queues in PHP (Cakephp)

Tell Selinux to Give Apache Execute Access to PHP Files Outside Document Root

Minimum Cart Amount for Specific Product Categories in Woocommerce

What Rss Parser Should I Use in PHP

Check for Session Timeout in Laravel


Leave a reply



Submit