|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
[2016-02-12 16:08 UTC] stheine at arcor dot de
Description: ------------ documentation ( http://php.net/manual/en/filter.filters.sanitize.php ) states: filter_var, option FILTER_SANITIZE_FULL_SPECIAL_CHARS: Equivalent to calling htmlspecialchars() with ENT_QUOTES set. but in reality, the two differ. the FILTER_SANITIZE_FULL_SPECIAL_CHARS is missing the FILTER_FLAG_ENCODE_AMP flag (which is not even documented for that filter) to actually be equivalent to htmlspecialchars() as documented. Test script: --------------- $STRING = "1 2"; echo htmlspecialchars($STRING, ENT_QUOTES)."\n". filter_var($STRING, FILTER_SANITIZE_FULL_SPECIAL_CHARS)."\n"; 1 2 1 2 Expected result: ---------------- following the documentation, I expect filter_var("1 2", FILTER_SANITIZE_FULL_SPECIAL_CHARS) to return 1 2 Actual result: -------------- 1 2 PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
|
|||||||||||||||||||||||||||
Copyright © 2001-2025 The PHP GroupAll rights reserved. |
Last updated: Mon Oct 27 15:00:01 2025 UTC |
Well, FILTER_SANITIZE_FULL_SPECIAL_CHARS is actually equivalent to htmlentities($string, ENT_QUOTES, ini_get('default_charset'), false) See <https://3v4l.org/PStra>. Note that $double_encode is off, and that it's htmlentities() and not htmspecialchars(). > the FILTER_FLAG_ENCODE_AMP flag (which is not even documented > for that filter) Right, that should be added. But frankly, I don't understand why anybody would want to use that filter on input. HTML escaping should be done on output, IMHO.