2

I wanted to ask that in a php script of mine which I am accessing through an ajax request, I am returning json data ( converted from an array ) as such

 echo json_encode($row_array);

I get this data in jquery and display it in a form. Do i need to apply htmlspecialchars / htmlentites before returning the data?

Is do then whats the correct way to do it? The following code gives me an error:

echo htmlentities(json_encode($row_array));

Thanking you Imran

Imran Omar Bukhsh
  • 7,849
  • 12
  • 59
  • 81
  • Wouldn't it be easier to just test it yourself? You could have been done by now... – Wesley Murch Sep 08 '12 at 15:13
  • @WesleyMurch, It's a valid question. Even if he had tested it, it might have worked but still been problematic. – Brad Sep 08 '12 at 15:14
  • @Brad: "Valid" does not mean "good". This shows zero research effort. What do you mean "it might have worked but still been problematic"? – Wesley Murch Sep 08 '12 at 15:15
  • @WesleyMurch, You can create broken HTML and get away with it. He might have output straight JSON data to HTML, and it might have been fine until the day the JSON data contains `<` and `>`, for example. – Brad Sep 08 '12 at 15:16
  • @Brad: Obviously that would be the type of thing to test... HTML characters. – Wesley Murch Sep 08 '12 at 15:17
  • @WesleyMurch, ... obvious to you and I, not him. – Brad Sep 08 '12 at 15:19
  • @WesleyMurch, Ok, now it's a bad question. Imran, be much more specific when you say "the following code gives me an error". The only way it could would be on the `json_encode()`. What data are you passing to it? – Brad Sep 08 '12 at 15:25
  • @WesleyMurch, It's JSON-ENCODED, that **is a string**. – Brad Sep 08 '12 at 15:28

3 Answers3

2

Do not apply htmlentities in this way. You should walk the array before json encoding it and escape each element, then json encode the array of safe-to-display values. In your usage json is just a transport layer for the array. You are not displaying the json array, just the element data. Don't escape transport layers--it could make the json string invalid.

Ray
  • 40,256
  • 21
  • 101
  • 138
2

Context is important.

You don't need to escape the data at all on the server side if it's going into a form input's value if you are using jQuery's val() function to populate it.

Example: http://jsfiddle.net/Y6TWv/1/

var data = '<strong>STRONG TEXT</strong>';

$('input').val(data); // output is escaped
$('p').text(data);    // output is escaped
$('p').html(data);   ​ // output is not escaped

In addition, if you were to escape the data, don't do it like this:

// escapes the entire json string, not good - quotes will be broken
echo htmlentities(json_encode($row_array));

You would have to escape each item of $row_array first before json encoding it, either with array_map after the array is built, or as you're building the array.

In general, you should prefer htmlspecialchars over htmlentities, but it's not likely you need either one.

Wesley Murch
  • 101,186
  • 37
  • 194
  • 228
0

I just had a problem with single quotes in a JSON array. Chrome doesn't like single quotes in a JSON response returned via ajax. I escaped each value with htmlspecialchars(, ENT_QUOTES).

$theoptions['MemberList'] = array();
while($row = mssql_fetch_assoc($result)) {
   $memberelement = array(
                       'Display'=> htmlspecialchars($row['FullName'], ENT_QUOTES),
                       'Value'      =>  $row['ID']);
   $theoptions['MemberList'][] = $memberelement;
}

header('Content-Type: application/json');
echo json_encode($theoptions);
Mitch McCoy
  • 1