using htmlspecialchars in value attribute of text input

Question

My question is similar to this question but I'm not using code igniter. I'm echoing variables obtained from a database into the value attribute of a text input. The variables may contain ' or " or any other special chars.

I tried:

<input type="text" name="myTextInput" value="<?= htmlspecialchars($dbValue, ENT_QUOTES); ?>" />

but it outputs quotes as " or ' which is not what I want. I want the text input to actually contain the quotes as typed by the user.

should I be using a php function or a javascript function to escape the string? if I don't escape it I get a javascript error because the quotes inside the $dbValue string are interacting with the value attribute quotes.

Same problem. I resolved t by using only htmlspecialchars($value); and that's perfect even with é, ô, ñ mixed with '' and " — Peter, Nov 20 '15 at 13:57

score 5 · Answer 1 · answered Jul 12 '12 at 19:05

That's exactly what you DO want, however. e.g.

if your inserted data is

Davy "Dead Pirate" Jones

and you insert that into an input field literally, you'd end up with

<input type="text" name="..." value="Davy "Dead Pirate" Jones" />

which will be interepreted as follows:

<input> field with attributes:
    text -> 'text'
    name -> '...'
    value -> ' '   (a single space)
    Dead -> 
    Pirate ->
    " ?   danging quote
    Jones ->
    " ? -> another dangling quote

By comparion, after doing an html_entities, you'd have

 Davy &quot;Dead Pirate&quot; Jones

and that can be inserted into the <input> field without issue.

If the input field's value contains a literal " that's visible to the user, then you've got some double-encoding going on.

score 4 · Accepted Answer · answered Jul 12 '12 at 19:01

You'll want to use html_entity_decode. Here's an example for the documentation:

<?php
$orig = "I'll \"walk\" the <b>dog</b> now";

$a = htmlentities($orig);

$b = html_entity_decode($a);

echo $a; // I'll &quot;walk&quot; the &lt;b&gt;dog&lt;/b&gt; now

echo $b; // I'll "walk" the <b>dog</b> now
?>

Reference: http://www.php.net/manual/en/function.html-entity-decode.php

score 2 · Answer 3 · edited May 23 '17 at 12:10

Your looking for the opposite of htmlspecialchars, try using html_entity_decode.

Here is your code using html_entity_decode.

<input type="text" name="myTextInput" value="<?= html_entity_decode($dbValue, ENT_QUOTES); ?>" />

Here is a link to the manual -> http://www.php.net/manual/en/function.html-entity-decode.php

If you have any problems using this you might want to check out this question, which has a common encoding problem -> https://stackoverflow.com/a/4638621/1065786

score 0 · Answer 4 · answered Jun 27 '14 at 15:31

To display single, double quotes and html tags as text field value try to use:

<?php
$formVal = htmlspecialchars($dbValue, ENT_COMPAT, 'utf-8');
// or this:
// $formVal = htmlspecialchars($dbValue);
?>

<!-- html -->
<form>
<input type="text" name="myTextInput" value="<?php echo $formVal; ?>" />
</form>

http://www.sitepoint.com/form-validation-with-php
https://www.inanimatt.com/php-output-escaping.html

using htmlspecialchars in value attribute of text input

4 Answers4