0

I need to print an error which contain html format which in my case is <strong>. here's my code that i want to produce the output

if (empty($namabelakang)){
        $errors[] = "<strong>Nama Belakang</strong> tidak boleh kosong";
    }

and here's the one which i use to print:

foreach($errors as $error){
        echo clean($error)."<br>";
    }

It's not print as i'm expecting, it print 

<strong>Nama Belakang</strong> tidak boleh kosong

Rather than:

Nama Belakang tidak boleh kosong

Please help me how can I fix it? here's the code for clean function:

function clean($data) {
    $data = trim($data);
    $data = stripslashes($data);
    $data = htmlspecialchars($data);
    return $data;
}
Improve this question
2
  • 1
    what does the clean() function do? Commented Dec 25, 2014 at 11:08
  • @Purag i put clean function in my question just couple minutes ago. please see it again. Commented Dec 25, 2014 at 11:14

5 Answers 5

Reset to default
1

If you want it to print as actual HTML, then you shouldn't use htmlspecialchars(). That function will convert it to character codes that will prevent it from rendering as actual HTML.

function clean($data) {
  $data = trim($data);
  $data = stripslashes($data);
  $data = htmlspecialchars($data);
  return $data;
}

$str = "<strong>Nama Belakang</strong> tidak boleh kosong";
echo clean($str);

// prints out "&lt;strong&gt;Nama Belakang&lt;/strong&gt; tidak boleh kosong"

What you want is to print the actual HTML. htmlspecialchars() will convert any special characters in the string to its associated ASCII character code.

In terms of security, there isn't much of a risk when printing HTML. What's the worst that could happen? You could remove script tags beforehand, that should prevent any malicious intent.

Improve this answer
Sign up to request clarification or add additional context in comments.

9 Comments

i just don't want to risk my web just because using strong.
how about <script> is not part of it?
not sure I understand you. I just meant that if you want to be extra secure, you could remove any script tags inside the string and echo that. But it sounds like you're in control of the content of the string, so you have nothing to worry about. Security is not an issue in this case. :)
@Kyo i'm not sure I was clear enough. You should not use htmlspecialchars(). It is what is causing your problem.
please read this sitepoint.com/php-security-cross-site-scripting-attacks-xss is it still save to not using htmlspesialchar?
|
0 
foreach($errors as $error){
        echo htmlspecialchars($error)."<br>";
    }

Documentation

Improve this answer

8 Comments

u mean htmlspecialchars that i put in my clean function that do this? how come it be different? but i'll give it try.
i already remove my function and use this echo htmlspecialchars($error)."<br>"; but still doesn't work
@Kyo can you post the header of the page where you use this function ?
not inside funcion but after <?php and it's on top of pages. am i wrong to put it there?
@Kyo yes, the header of the page must be before its content (body)
|
0

Dont use the clean function....

just echo like:

foreach($errors as $error){
    echo $error . "<br>";
}

there are no other functions needed.

Of course you could add the trim() like echo trim($error) so there would be no whitespaces on beginning and end.

All other functions like htmlspecialchars or stripslashes will transform your string to plain text and wont let show you the html result :)

Improve this answer

3 Comments

i'm afraid if i remove htmlspecialchars it will make a risk if hacker is attacking my website. is it any possible ways to print without remove it?
actually you not executing code... you just echo it so there is no security problem so even if there is source in the "echo" part it wont be executed as code. Have you tried to only use stripslashes?
please read this sitepoint.com/php-security-cross-site-scripting-attacks-xss is it still save to not using htmlspesialchar?
0 
   function clean($data) {
    $data = trim($data);
    $data = stripslashes($data);
    $data = htmlspecialchars($data);
    $data = str_replace(array("&lt;strong&gt;", "&lt;/strong&gt;"), array("<strong>", "</strong>"), $data);
    return $data;
}
Improve this answer

5 Comments

@Purag i find the answer how should i do this without worry about secure of my code.
DO NOT USE HTMLSPECIALCHARS. I cannot emphasize this enough. In this code, all you are doing is using it and then undoing what it does. What is the point of using it? THERE IS NO SECURITY ISSUE.
This is code that YOU have written, how could it possibly be used against you? The only thing you need to make sure is secure is when you have user input that you evaluate with PHP.
lets say hacker find a way to inject some code in my $error variable and insert they code. then $error print the code without sanitize it. well the most common mistake for programmer is they think their programs is save. but you know we can't imagine what hacker can do. maybe after learning PHP i will learn hacking too so i know the detail how they can hijack my script.
They cannot inject something into $error unless you let them.
0

Easy way to solve this problem is putting $error inside "" like so:

foreach($errors as $error){
    echo "$error <br>";
}
Improve this answer

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.