We're escaping for content, not escaping for attributes (attribute
escaping should be handled by different code). So does anyone remember
the parameters of htmlspecialchars?
http://ca.php.net/htmlspecialchars
string **htmlspecialchars** ( string $string [, int $quote_style [,
string $charset [, bool $double_encode ]]] )
($charset since 4.1.0; $double_encode since 5.2.3)
You know that you can use:
$text = htmlspecialchars( $text, ENT_NOQUOTES );
And the quotes won't be encoded.
Though personally... When I make a sanitizer I go for what it's meant to
do. Thing like my cleanHtml are meant to make things safe, not escaping
of things. htmlspecialchars is meant to take text, and escape it so that
when it's outputted into html it looks the same and isn't mangled by
things that the renderer thinks are entities.
So on that, my sanitizers only convert < and > into < and > they
don't do any other encoding, and they don't double encode the entities
for <>. Cause the point is to make the syntax so that it won't be
considered evil html. And only <> needs to be escaped for that purpose.
~Daniel Friesen(Dantman, Nadir-Seen-Fire) of:
-The Nadir-Point Group (
http://nadir-point.com)
--It's Wiki-Tools subgroup (
http://wiki-tools.com)
--The ElectronicMe project (
http://electronic-me.org)
--Games-G.P.S. (
http://ggps.org)
-And Wikia ACG on
Wikia.com (
http://wikia.com/wiki/Wikia_ACG)
--Animepedia (
http://anime.wikia.com)
--Narutopedia (
http://naruto.wikia.com)
Simetrical wrote:
On Thu, Jul 31, 2008 at 5:39 PM, Aran
<aran(a)organicdesign.co.nz> wrote:
The current revision doesn't allow you have
quotes in the inline css for
example the quotes in the following inline css will be converted to
entities:
{{#css:
.foo {
font-family: "Times New Roman";
}
}}
Yeah, you're right, this is broken. We need a CDATA escaper. It
should be trivial to write, though.