tags:

views:

298

answers:

3
+4  Q: 

How can one prevent double encoding of html entities when they are allowed in the input

How can I prevent double encoding of html entities, or fix them programmatically?

I am using the encode() function from the HTML::Entities perl module to encode HTML entities in user input. The problem here is that we also allow users to input HTML entities directly and these entities end up being double encoded.

For example, a user may enter:

Stackoverflow & Perl = Awesome…

This ends up being encoded to

Stackoverflow & Perl = Awesome…

This renders in the browser as

Stackoverflow & Perl = Awesome…

We want this to render as

Stackoverflow & Perl = Awesome...

Is there a way to prevent this double encoding? Or is there a module or snippet of code that can easily correct these double encoding issues?

Any help is greatly appreciated!

+1  A: 

Consider saving the call to encode() until you retrieve the value for display, rather than before you store it. So long as you are consistent in your retrieval mechanism, the extra data in your database probably isn't worth fretting over.

Edit

Re-reading your question I realize now my answer doesn't fully address the issue seeing as calling encode() later will still have the same results. Not knowing of an alternative myself, it may not be much help, but you may want to consider finding a more suitable method for encoding that will respect existing symbols.

Nathan Taylor  2010-04-09 01:38:17
I think a method that respects existing entities would be ideal. I know that the corresponding method to encode in PHP has a flag to prevent double encoding. Does such a method exist in Perl?
Bob  2010-04-13 01:45:56
+4  A: 

There is an extremely simple way to avoid this:

  1. Remove all the entities upon input (turn them into Unicode)
  2. Encode into entities again at the stage of output.
Kinopiko  2010-04-09 01:48:46
Always. Always store data in a known format. Don't mix and match. Always decode (transform into a known format) on input. Always encode (transform into the necessary format for display or interaction) on output. Applies to HTML-entities just as much as it applies to Unicode.
hobbs  2010-04-09 04:39:05
+6  A: 

You can decode the string first:

my $input = from_user();

my $encoded = encode_entities( decode_entities $input );
Eric Strom  2010-04-09 01:48:52

related questions

Autosizing Textarea
Regular expression for parsing links from a webpage?
What are good tools for creating compiled HTML help files (.chm)?
Looking for WYSIWYG HTML editor
Any reason not to start using the HTML 5 doctype?
HTML comments break down
HTML Comments Markup
Setting a div's height in HTML with CSS
Wrapping lists into columns
Is a "Confirm Email" input good practice when user changes email address?
<XMP> Tag
HTML version choice
Options for HTML scraping?
How do you disable browser Autocomplete on web form field / input tag?
How do I make a checkbox toggle from clicking on the text label as well?
Html CSS Editor
Wordpress theme development offline tools
How do I give my web sites an icon for iPhone?
In HTML, how to word-break on a dash?
Detecting font in JavaScript
How do you test layout design across multiple browsers/OSs?
How do I print an HTML document from a web service?
Multiple submit buttons on a HTML form
How can I determine a web user's time zone?
Why doesn't the percentage width child in absolutely positioned parent work in IE7?