1.2.797. No ENT_IGNORE¶
Certain characters have special significance in HTML, and should be represented by HTML entities if they are to preserve their meanings.
ENT_IGNORE is a configuration option for htmlspecialchars(), that ignore any needed character replacement. This mean the raw input will now be processed by PHP, or a target browser.
It is recommended to use the other configuration options : ENT_COMPAT, ENT_QUOTES, ENT_NOQUOTES, ENT_SUBSTITUTE, ENT_DISALLOWED, ENT_HTML401, ENT_XML1, ENT_XHTML or ENT_HTML5.
<?php
// This produces a valid HTML tag
$new = htmlspecialchars("<a href='test'>Test</a>", ENT_IGNORE);
echo $new; // <a href='test'>Test</a>
// This produces a valid string, without any HTML special value
$new = htmlspecialchars("<a href='test'>Test</a>", ENT_QUOTES);
echo $new; // <a href='test'>Test</a>
?>
See also htmlspecialchars and Deletion of Code Points.
1.2.797.1. Suggestions¶
Use of the the other options
1.2.797.2. Specs¶
Short name |
Security/NoEntIgnore |
Rulesets |
|
Exakat since |
1.9.2 |
PHP Version |
All |
Severity |
Minor |
Time To Fix |
Quick (30 mins) |
Precision |
Very high |
Features |
html-escape |
Available in |