htmlspecialchars and json encode problem

Question

I am trying to format some bad html to output into a pop window. The html is stored in a field in a mysql database.

I have been performing json_encode and htmlspecialchars on the row in the php like so:

$html = htmlentities(json_encode($row2['ARTICLE_DESC']));

and calling my makewindows function, which simply takes the html as a paramter and uses it withdocument.write like so:

  <p><a href='#' onclick=\"makewindows('".$html."'); return false;\">Click for full description </a></p>

This works ok, as in some html code is produced, such as the following:

http://www.nomorepasting.com/getpaste.php?pasteid=22823&seen=true&wrap=on&langoverride=html4strict

pasted there because I do not know how to wrap lines in SO

The problem is that htmlspecialchars does not seem to be stripping bad html data, as no popup window is created. The error I receive with firebug is

missing ) after argument list

However the html is outside of my control.

From what I have read, I am taking the correct steps. If I am missing something out, what is it?

My full make windows function:

function makewindows(html){
child1 = window.open ("about:blank");
child1.document.write(html);
child1.document.close(); 
}

Answer 1

You shouldn't have the single quotes in the function call. It should look like this:

<p><a href='#' onclick=\"makewindows(" . $html . "); return false;\">Click for full description </a></p>

Then the output will look like

<p><a href='#' onclick="makewindows(&quot;.....&quot;); return false;">Click for full description </a></p>

which is correct.

Answer 2

Try it the following way:

$html = htmlentities(json_encode($row2['ARTICLE_DESC']),ENT_QUOTES);

I think the single quotation marks are not escaped by default. Nevertheless I recommend you saving the html in a JavaScript variable before opening the window.