1.2.528. Htmlentities Using Default Flag¶
htmlspecialchars(), htmlentities(), htmlspecialchars_decode(), html_entity_decode() and get_html_translation_table(), are used to prevent injecting special characters in HTML code. As a bare minimum, they take a string and encode it for HTML.
The second argument of the functions is the type of protection. The protection may apply to quotes or not, to HTML 4 or 5, etc. It is highly recommended to set it explicitly.
In PHP 8.1, the default value of this parameter has changed. It used to be ENT_COMPAT and is now ENT_QUOTES | `ENT_SUBSTITUTE <https://www.php.net/ENT_SUBSTITUTE>`_. The main difference between the different configuration is that the single quote, which was left intact so far, is now protected HTML style.
<?php
$str = 'A quote in <b>bold</b> : \' and ""';
// PHP 8.0 outputs, without depending on the php.ini: A quote in <b>bold</b> : ' and "
echo htmlentities($str);
// PHP 8.1 outputs, while depending on the php.ini: A quote in <b>bold</b> : ' and "
echo htmlentities($str);
?>
See also htmlentities and htmlspecialchars.
1.2.528.1. Suggestions¶
Always use the second argument to explicitly set the desired protection
1.2.528.2. Specs¶
Short name |
Structures/HtmlentitiescallDefaultFlag |
Rulesets |
|
Exakat since |
2.2.3 |
PHP Version |
With PHP 8.1 and more recent |
Severity |
Minor |
Time To Fix |
Quick (30 mins) |
Changed Behavior |
PHP 8.1 - More |
Precision |
High |
Features |
escape-sequence, html-entity, class |
Related rule |
|
Available in |