Why doesn't htmlspecialchars convert quotes inside an input value?

Question

I have the following code:

<input type="text" name="nr_p_vac" value="<?php echo htmlspecialchars($row['nr_p_vac']); ?>">

where $row['nr_p_vac'] is test ' " / /n /t <>.

When I'm not using htmlspecialchars in the input there's only test ' (of course, because " is not escaped).

When I'm using the htmlspecialchars function the input has the correct value ' " / /n /t <> (because now ' and " are properly escaped).

But shouldn't the content of the input be transformed into something like test ' '"' etc.?

Is it ok to use htmlspecialchars in this case?

@CasimiretHippolyte I have read the manual, that's the reson I asked the question. The manual says: The translations performed are: '&' (ampersand) becomes '&' '"' (double quote) becomes '"' when ENT_NOQUOTES is not set. "'" (single quote) becomes ''' (or ') only when ENT_QUOTES is set. '<' (less than) becomes '<' '>' (greater than) becomes '>' — Hello Lili, Feb 25 '15 at 11:23
@CasimiretHippolyte The problem is, inside my value=" ", it doesn't change the characters like the manual says. I wanted to know why is this happening. — Hello Lili, Feb 25 '15 at 11:24
_“The problem is, inside my value=" ", it doesn't change the characters like the manual says”_ – did you look at the generated HTML output (view source code in your browser) – or just at what your browser displays when it has _interpreted_ it as HTML already …? — CBroe, Feb 25 '15 at 11:29

score 3 · Accepted Answer · edited May 23 '17 at 12:06

3

You can look the page source and you will see that the value is

' &quot; / /n /t &lt;&gt;

It is ok to use it in your case

edited May 23 '17 at 12:06

Community

answered Feb 25 '15 at 11:25

Ôrel

Oh, I understand now. By the way, given the fact the question is already answered somewhere else should I delete my question? – Hello Lili Feb 25 '15 at 11:27

1 Answers1