htmlspecialchars and ampersand in forms?

StackOverflow https://stackoverflow.com/questions/19493606

  •  01-07-2022
  •  | 
  •  

Question

I have a little static function so that I can easily build html valid urls on my local website, it is below;

public static function url($path = false) {

    // Build return url with special html characters escaped
    return 'http://127.0.0.1/' . htmlspecialchars($path);
}

I have two urls one inside an anchor and another is inside a form action, they are below;

Root::url('test?category=' . $category . '&index=' . $index) // Href

Root::url('test?category=' . $_GET['category'] . '&index=' . $_GET['index']) // Form

GET === $, you can see inside my static function that I use htmlspecialchars to escape special html characters from my url.

The anchor one returns a valid link and works as expected. The form one however returns the following, as in when I click on the form submit, my url in my browser is as follows.

http://127.0.0.1/test?category=innate&index=0

Why is this? My website breaks because it is dependant on the GET parameters being valid.

Thanks for your time, hope this made sense.

EDIT

I insert the return value of the function call straight into my form action,

<form 
action="<?= Root::url('test?category=' . $_GET['category'] . '&index=' . $_GET['index']); ?>" 
method="post">

EDIT

The form html is as follows;

<form action="http://example.com/test?category=innate&amp;index=0" method="post">

The anchor html is as follows

<a href="http://example.com/test?category=innate&amp;index=0">

Could it be something to do with the server sending a POST request even though I have GET parameters?

EDIT #3

Ok so it has something to do with my function or what I am passing in, I hard typed in the url in the form submit and it worked, no problems, which means it can only be what my function is returning.

I myself cannot see what I may be!

ANSWER

After the form was being submitted, I was redirecting to the same page using header to counter form resubmission. The string for the header was being generated by Root::url().

Two hours this took me to figure out, but boy does it feel good!

Was it helpful?

Solution

Normally you wouldn't add a query string to a POST URL. It's not forbidden, though, it may only be somewhat confusing, especially if you use $_REQUEST (which you don't, it seems).

I don't know why your browser shows an uninterpreted &amp;, it should interpret it.

Your problems are likely due to one of these:

  1. a bad browser - try another one
  2. bad content of the form input fields
  3. other

OTHER TIPS

This is quite logic.

I assume your url() method looks like this:

url($string){
  echo htmlspecialchars($string);
}

Let's have a look at the $string you are passing:

'test?category=' . $_GET['category'] . '&index=' . $_GET['index'];

As I see in your output, replacing the values, the final string before htmlspecialchars() occur would be:

'test?category=innate&index=0' and after it: test?category=innate&amp;index=0

What happened here? you first concatenated the string, and then htmlspecialchars()'ed the & used to separate the parameters. And to not break the url, you don't want to convert THAT '&'.

Also to sanitize the url you shouldn't use htmlspecialchars() because most html entities would convert to somthing like & + somename + ; for example the Euro symbol would convert to &euro; and you don't want the actual & symbol in your url, the browsers will interpret it as you have another new parameter awaiting.

You should use urlencode(), which will convert your & into: %26 , also, the function's name is self-explanatory, it's encoding a string to use on a URL.

Still, you want the & to separate the parameters, but not in the $GET values. What should we do? to urlencode the values before concatenating the string. I would suggest a method like this one:

function url($page, $get){
    $parameters = array();
    foreach($get as $k => $v) $parameters[] = urlencode($k)."=".urlencode($v);
    //We are concatenating with ? and & the urlencoded() values in the next line:
    echo urlencode($page).'?'.implode('&', $parameters);
}

url('test', $_GET); // outputs: test?category=innate&index=0

This would get rid of the special chars from a form's field names and values.

I noticed you will use 2 fixed parameters, category and index, so the method could be like this:

function url($page, $get){
    $page = urlencode($page);
    $category = urlencode($get['category']);
    $index = urlencode($get['index']);
    echo "$page?category=$category&index=$index";
}

Hope this is what you needed

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top