Welcome to the Treehouse Community

Want to collaborate on code errors? Have bugs you need feedback on? Looking for an extra set of eyes on your latest project? Get support with fellow developers, designers, and programmers of all backgrounds and skill levels here with the Treehouse Community! While you're at it, check out some resources Treehouse students have shared here.

Looking to learn something new?

Treehouse offers a seven day free trial for new students. Get access to thousands of hours of content and join thousands of Treehouse students and alumni in the community today.

Start your free trial

PHP

Tim Stride
Tim Stride
13,276 Points

Re-displaying submitted form data after escaping output: how should it look?

I want to create a simple contact form on a sports club's website that includes a <textarea> field for the user to type their enquiry. I've set it so that if an error message is triggered, the data that the user submitted is re-displayed on the form so they can correct it. I've filtered the input and escaped the output for the re-display, e.g. the enquiry field code:

<label for="enquiry">Your enquiry</label><br />
          <textarea id="enquiry" name="user_enquiry"><?php if (isset($enquiry)) { echo htmlspecialchars($enquiry, ENT_NOQUOTES, 'UTF-8'); } ?></textarea><br />

However, the user's enquiry is re-displayed with the html entities replacing certain characters and line breaks are also removed. This means (a) it would look strange to the user and (b) when the user corrects the form and successfully submits it, the enquiry that is then emailed through to the recipient (and copied to the user) displays the html entities in the text instead of the desired characters, again making it harder to read .

For example, this:

Will the 'Home Plate' bar be open?

When I asked last week I was told by a staff member "the bar will definitely be open".

is re-displayed as:

Will the &#39;Home Plate&#39; bar be open?&#13;&#10;&#13;&#10;When I asked last week I was told by a staff member &#34;the bar will definitely be open&#34;.

I appreciate that special characters are probably not going to be commonly included in users' enquiries so it may not be a massive problem but I'm confused by several issues with this:

When outputted back onto an html web page, are the entities not meant to be converted back into the relevant characters?

Including ENT_NOQUOTES in the escape code is meant to stop double quote marks being converted, but they still have been. By default, single quotes are not meant to be converted, but they have been.

Why are line breaks being removed as well?

Am I doing something wrong or misunderstanding what is meant to happen?

1 Answer

Tim Stride
Tim Stride
13,276 Points

Think I solved it. I needed to turn double encoding off (set it to 'false') when escaping output on the re-displayed form field data. Otherwise, it was re-encoding the html entities (already converted by filtering the input) instead of decoding them and displaying them as the characters we'd expect to see.

<label for="enquiry">Your enquiry</label><br />
          <textarea id="enquiry" name="user_enquiry">
<?php if (isset($enquiry)) { echo htmlspecialchars($enquiry, ENT_QUOTES | ENT_HTML5, 'UTF-8', false); } ?>
</textarea><br />