Editing escaped code (for display)

Question

If I escape some code because I want it to display as the actual code in html (eg for an example code snippet), save it to the database and then pull it back to the editor (an html page), it is displayed as html, as opposed to the escaped text.

My problem arises when I include a textarea tag in the text because it will prematurely close the editing area and chop off the rest of what I write when it is saved (or more if I don't close the tag).

So my question is: Is this intended behavior on the part of the browser? -> So I need to escape the text (code and pre tags perhaps)? every time I want to make changes to it? Or am I doing something wrong?

*Note I am the only person using this and it is mostly just for learning, so I am not worried about the security aspect so much as the way in check I need to handle my html when using it in a browser and have it behave in an expected way.

Answer 1

In my experience, you do need to do some kind of special character escaping. In PHP the function is htmlspecialchars(). I have don't know about other functions. But the browse will display the encoded characters in the textarea properly.

Answer 2

Most web based languages will have some library function for escaping HTML-interpreted characters, so check the documentation for the language you're using.

Like Darryl said, html_entities() (which is an alias for htmlspecialchars()) will do the trick in PHP.

Answer 3

@Bob: htmlentities() is not the same as htmlspecialchars()

htmlentities() will convert every character that has an ASCII code to that code. htmlspecialchars() will only do those that are special in HTML, such as &, quotes, and < or >

This is quite a major difference that can break some things and can also cause the result to be enormous when using htmlentities().

Answer 4

Is this intended behavior on the part of the browser? Yes, the browser interprets your (unescaped) HTML code as HTML tags belonging to the page and acts on them.

So I need to escape the text (code and pre tags perhaps)? Yes, as Darryl Hein said, use htmlspecialchars(). They will be displayed correctly by the browser, and you don't need to "unescape" the data as it comes back from editing.

...am I doing something wrong? You should inspect any input coming to your application or leaving it and see if there is a possibility of any characters in it that have special significance for the browser, for your database server, and for other parts of your solution. You should escape the special characters properly for every interaction (i.e. mysql_escape_string() for MySQL database, htmlspecialchars() for HTML, etc.)