2

I have a HTML form value as a PHP function: value='".$item->get_title()."' (This is in an echo statement hence the single quotes.) The problem is that if the returned title contains any quotes it breaks the value function.

Example: value="Kim Dotcom lawyer blasts US government" s "pattern of delay &quote;'>

As you can see it breaks at government. There is supposed to be an apostrophe after that.

Does anyone know a fix for this?

The fix: value='".htmlspecialchars($item->get_title(), ENT_QUOTES)."'

Improve this question

3 Answers 3

Reset to default
4

Use htmlspecialchars to escape output not meant to be rendered as HTML:

value="'.htmlspecialchars($item->get_title(), ENT_QUOTES).'"

By default, htmlspecialchars only escapes double quotes, not single quotes. If you want to escape both (and so maintain your practice of putting HTML values in single quotes), add ENT_QUOTES as the second parameter to htmlspecialchars.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

This does not work at all without swapping the "' to '". After I have swapped them and the feed is loading it still does not show up correctly :(
EDIT: Added the ENT_QUOTES and it works! Thanks so much will add an edit above.
2

try with htmlspecialchars

htmlspecialchars($item->get_title());
Improve this answer

Comments

-1

try:

value='".str_replace('"', '', $item->get_title())."'
Improve this answer

2 Comments

Wrong - addslashes doesn't escape for HTML; it's the old way to escape for SQL (and possibly a few other things, such as JSON; I can't think of anything right now that its the best tool for). Stripping quotes (as in your second suggestion) would sorta work, but it changes the data, which is likely to still be problematic.
That does not seem to work, it is still the same as seen in the picture above,

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.