htmlspecialchars() - discrepancies with the documentation

[KhamaleonLab]

htmlspecialchars()
There are discrepancies with the documentation and the obtained results.

Summary of observations on htmlspecialchars():

1. Observed behavior:

   • htmlspecialchars() does not visually convert special characters into HTML entities as described in the documentation.
   • Escaped HTML and JavaScript are displayed as plain text in the browser, without converting into visible HTML entities.

2. Tests conducted:

   • Tested in multiple environments: local servers, cloud hosting, and Replit.
   • Used different versions of PHP, including 8.1.2.
   • Tested with various types of input, including simple HTML and JavaScript scripts.

3. Test results:

   • Example: htmlspecialchars("<a href='test'>Test</a>", ENT_QUOTES) displays <a href='test'>Test</a> in the browser, not the expected HTML entities.
   • Potentially malicious scripts and HTML do not execute, confirming the security functionality.
   • The page source code shows the text unescaped, the same as in the browser display.

4. Security functionality:

   • Despite the visual discrepancy, the function effectively prevents the execution of unwanted HTML and JavaScript code.
   • Script injection tests confirm that htmlspecialchars() still provides protection against XSS.

5. Consistency:

   • This behavior is consistent across different environments and PHP versions tested.

6. Discrepancy with the documentation:

   • The current PHP documentation suggests that special characters should visually convert into HTML entities, which does not happen in practice.

Conclusion:
Although htmlspecialchars() fulfills its primary security function, its visual behavior significantly differs from what is described in the official PHP documentation. This can cause confusion among developers and warrants a review of the documentation or an explanation of the observed behavior.

[cmb69]

Wrong repo – transferring.

[cmb69]

It seems to me that the function behaves as advertized, e.g. https://3v4l.org/Lsfop.

There is not even a single mention of "visual" in the manual. If you want to see the HTML entities, you may need to double escape, e.g. https://3v4l.org/Xfmrj.

Or maybe I'm misunderstanding your point. Maybe you can give a code example?

[damianwadley]

^ That.

Converting to entities does not mean you'll see "&lt;a href" on the page. It means you'll see "<a href" - because PHP is outputting "&lt;" and the browser is rendering that as a less-than symbol.

Do a View Source of the page.

(caution: GitHub does entity decoding in comments...)

[KhamaleonLab]

Thank you for responding,
What I meant is that in the example provided on the official page
https://www.php.net/manual/en/function.htmlspecialchars

$new = htmlspecialchars("<a href='test'>Test</a>", ENT_QUOTES);
echo $new; // &lt;a href=&#039;test&#039;&gt;Test&lt;/a&gt;

it gives the impression that the output on the screen should also show
<a href='test'>Test</a>
instead of <a href='test'>Test</a>

That was my observation, that although it performs its function, the documentation does not exactly match and can be confusing.

[Oldiesmann]

The comment in the documentation example is showing what the string will be after it's run through the function. Your browser will convert that into visible characters. That's how you're seeing what appears to be the code rather than whatever that HTML and/or JavaScript would normally produce

[cmb69]

Right. And it's not even given that a browser is involved; the output might go to the console, when using the CLI SAPI, for instance.

Note also, that the examples in the PHP manual are usually just some code snippets, not full scripts. E.g. the full script might be:

<?php
header('Content-Type: text/plain; charset=UTF-8');
$new = htmlspecialchars("<a href='test'>Test</a>", ENT_QUOTES);
echo $new; // &lt;a href=&#039;test&#039;&gt;Test&lt;/a&gt;

I think we can close this; even though I think the documentation could be improved, it wouldn't make sense to clarify this for each and every example producing output.