I'd like to know if its really necessary escape my string with htmlentities($str, ENT_QUOTES, "UTF-8")开发者_StackOverflow社区 before print on an html textarea.
Or automatically this one escape for me the characters?
Yes, it is necessary.
Otherwise, a </textarea> in the input data would mess up your markup.
<textarea> <--------------------------- Your tag
</textarea> <------------------------ User input
<script>alert("Hello!");</script> <-- User input, XSS injection
</textarea> <-------------------------- Your tag
The textarea element is defined as containing PCDATA, so tags are not allowed inside it and entities are still decoded.
Browsers will perform error correction, but error correction is a poor substitute for not having errors in the first place.
Some errors will not be corrected (because they aren't syntax errors), such as when you want the data to be < or </textarea>.
Even if you decide that some errors are acceptable to you, then when you use a validator to perform basic QA, you will be generating noise that might obscure errors you care about.
So in short, yes, it is necessary to escape characters with special meaning. However, so long as you get your character encoding straight, htmlspecialchars is sufficient.
![Interactive visualization of a graph in python [closed]](https://www.devze.com/res/2023/04-10/09/92d32fe8c0d22fb96bd6f6e8b7d1f457.gif)
加载中,请稍侯......
精彩评论