Problem with Apostrophe

When a user uploads a photo for their profile, I allow them to add an optional Photo Label like this…

Sam’s Spiral GIF

To prevent against XSS attacks, I wrapped the Photo Label with htmlentities like this…

		title='" . htmlentities($photoLabel) . "' />

The problem is that when I hover over the user’s photo, I see this…

Sam & #039 ; s Spiral GIF

(I added spaces above because it keeps getting converted by SitePoint?!)

How can I use htmlentities() and get my output to look proper?

Thanks,

Debbie

Might want to use addslashes instead

But I believe addslashes() is intended for escaping data before it goes into a database.

I need to safely handle data during output to the screen…

Debbie

addslashes() on the way in
stripslashes() on the way out.

addslashes is related to SQL injection, so it doesn’t apply here.

@Debbie I suspect that somewhere along the way, you’ve double-escaped the photo label. Check where the value of photoLabel comes from and everything is passes through, and make sure it hasn’t already been run through htmlentities.

You would be correct.

Turns out I had htmlentities in a function above and then again in my HTML.

Thanks!

Debbie

It is true that addslashes is primarily for SQL Injections, but look at the code provided again.

title='" . htmlentities($photoLabel) . "' /> 

Notice she has single quotes for the title attribute, so her output (without htmlentities) would have been title=‘Sam’s Sprial GIF’. So my point is, addslashes would have worked here too but it wouldn’t take care of XSS attacks like htmlentities would.

Too many programming languages on the brain. It can be easy to mix them up. In languages such as PHP and JavaScript, a backslash escapes special characters. But in HTML, the backslash has no special meaning at all.