1.2.802. No ENT_IGNORE

Certain characters have special significance in HTML, and should be represented by HTML entities if they are to preserve their meanings.

ENT_IGNORE is a configuration option for htmlspecialchars(), that ignore any needed character replacement. This mean the raw input will now be processed by PHP, or a target browser.

It is recommended to use the other configuration options : ENT_COMPAT, ENT_QUOTES, ENT_NOQUOTES, ENT_SUBSTITUTE, ENT_DISALLOWED, ENT_HTML401, ENT_XML1, ENT_XHTML or ENT_HTML5.

<?php

// This produces a valid HTML tag
$new = htmlspecialchars("<a href='test'>Test</a>", ENT_IGNORE);
echo $new; // &lt;a href=&#039;test&#039;&gt;Test&lt;/a&gt;

// This produces a valid string, without any HTML special value
$new = htmlspecialchars("<a href='test'>Test</a>", ENT_QUOTES);
echo $new; // &lt;a href=&#039;test&#039;&gt;Test&lt;/a&gt;

?>

See also htmlspecialchars and Deletion of Code Points.

1.2.802.1. Connex PHP features

• html-escape

1.2.802.1.1. Suggestions

• Use of the the other options

1.2.802.1.2. Specs

Short name	Security/NoEntIgnore
Rulesets	All, Changed Behavior, Security
Exakat since	1.9.2
PHP Version	All
Severity	Minor
Time To Fix	Quick (30 mins)
Precision	Very high
Available in	Entreprise Edition, Exakat Cloud