We're escaping for content, not escaping for attributes (attribute escaping should be handled by different code). So does anyone remember the parameters of htmlspecialchars? http://ca.php.net/htmlspecialchars
string **htmlspecialchars** ( string $string [, int $quote_style [, string $charset [, bool $double_encode ]]] ) ($charset since 4.1.0; $double_encode since 5.2.3)
You know that you can use: $text = htmlspecialchars( $text, ENT_NOQUOTES );
And the quotes won't be encoded.
Though personally... When I make a sanitizer I go for what it's meant to do. Thing like my cleanHtml are meant to make things safe, not escaping of things. htmlspecialchars is meant to take text, and escape it so that when it's outputted into html it looks the same and isn't mangled by things that the renderer thinks are entities. So on that, my sanitizers only convert < and > into < and > they don't do any other encoding, and they don't double encode the entities for <>. Cause the point is to make the syntax so that it won't be considered evil html. And only <> needs to be escaped for that purpose.
~Daniel Friesen(Dantman, Nadir-Seen-Fire) of: -The Nadir-Point Group (http://nadir-point.com) --It's Wiki-Tools subgroup (http://wiki-tools.com) --The ElectronicMe project (http://electronic-me.org) --Games-G.P.S. (http://ggps.org) -And Wikia ACG on Wikia.com (http://wikia.com/wiki/Wikia_ACG) --Animepedia (http://anime.wikia.com) --Narutopedia (http://naruto.wikia.com)
Simetrical wrote:
On Thu, Jul 31, 2008 at 5:39 PM, Aran aran@organicdesign.co.nz wrote:
The current revision doesn't allow you have quotes in the inline css for example the quotes in the following inline css will be converted to entities:
{{#css: .foo { font-family: "Times New Roman"; } }}
Yeah, you're right, this is broken. We need a CDATA escaper. It should be trivial to write, though.