1.2.532. Htmlentities Using Default Flag

htmlspecialchars(), htmlentities(), htmlspecialchars_decode(), html_entity_decode() and get_html_translation_table(), are used to prevent injecting special characters in HTML code. As a bare minimum, they take a string and encode it for HTML.

The second argument of the functions is the type of protection. The protection may apply to quotes or not, to HTML 4 or 5, etc. It is highly recommended to set it explicitly.

In PHP 8.1, the default value of this parameter has changed. It used to be ENT_COMPAT and is now ENT_QUOTES | `ENT_SUBSTITUTE <https://www.php.net/ENT_SUBSTITUTE>`_. The main difference between the different configuration is that the single quote, which was left intact so far, is now protected HTML style.

<?php
$str = 'A quote in <b>bold</b> : \' and ""';

// PHP 8.0 outputs, without depending on the php.ini: A quote in &lt;b&gt;bold&lt;/b&gt; : ' and &quot;
echo htmlentities($str);

// PHP 8.1 outputs, while depending on the php.ini: A quote in &lt;b&gt;bold&lt;/b&gt; : &#039; and &quot;
echo htmlentities($str);

?>

See also htmlentities and htmlspecialchars.

1.2.532.1. Connex PHP features

1.2.532.1.1. Suggestions

  • Always use the second argument to explicitly set the desired protection

1.2.532.1.2. Specs

Short name

Structures/HtmlentitiescallDefaultFlag

Rulesets

All, Analyze, CI-checks, Changed Behavior

Exakat since

2.2.3

PHP Version

With PHP 8.1 and more recent

Severity

Minor

Time To Fix

Quick (30 mins)

Changed Behavior

PHP 8.1

Precision

High

Related rule

Htmlentities Calls

Available in

Entreprise Edition, Exakat Cloud