You're safe because when you apply htmlentities() these will be doubly marked up. So if the file contains "&" then the browser will receive "&".
HTH, Rob. On Fri, 2003-08-08 at 11:57, Thaddeus J. Quintin wrote: > CPT John W. Holmes wrote: > --<SNIP>-- > > Try this: > > > > <textarea name="text">This is <some> text</textarea> > > > > If you submit that "text" and then print $_REQUEST['text'], you'll > see that > > you have > > > > This is <some> text > --<SNIP>-- > Ok, but that only makes me realize the further extent of the problem. > > If the HTML file that they upload has '<' or '>' entities, then > these characters will be displayed in the text area as '<' and '>' > symbols. So when the text is submitted from the textarea, all of the > user's HTML entities will have been destroyed. > > Any thoughts on this problem? > > Thaddeus > > CPT John W. Holmes wrote: > > > From: "Thaddeus J. Quintin" <[EMAIL PROTECTED]> > > > >>I'm working on a site where users have the option to type HTML code into > >>a textarea, or upload HTML code from a local file which is then > >>displayed in the text area. > >> > >>The obvious problem is that an uploaded file that contains a closing tag > >>for a textarea can wreak havoc and eat up the rest of the page. So, in > >>order to get it to display properly, I called htmlspecialchars() on the > >>string and that works fine. > >> > >>After any editing has been done, I can convert the text back using > >>html_entity_decode(). This seems to be a decent solution to the problem. > >> > >>However, if the user has included htmlentities in their code, won't > >>these get converted when I call the decode function? Even something > >>simple like using a '<' symbol for a little arrow. This would need to > >>remain a '<' and not get converted when html_entity_decode() is called. > > > > > > You should not have to call html_entity_decode() at all. You encode the text > > to get it to show in the text area. When the form is submitted, you get the > > text exactly as it appears in the textarea. in other words, without the html > > entities. > > > > Try this: > > > > <textarea name="text">This is <some> text</textarea> > > > > If you submit that "text" and then print $_REQUEST['text'], you'll see that > > you have > > > > This is <some> text > > > > ---John Holmes... > > > > > > > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > -- .---------------------------------------------. | Worlds of Carnage - http://www.wocmud.org | :---------------------------------------------: | Come visit a world of myth and legend where | | fantastical creatures come to life and the | | stuff of nightmares grasp for your soul. | `---------------------------------------------' -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
