Display what user input but prevent xss [duplicate]

Question

This question already has answers here:

How to prevent XSS with HTML/PHP? (9 answers)

Closed 8 years ago.

I'm trying do a register page, user enter data into input and if that don't match my criteria i want to put his value again in his input box so him don't have to write it again.

I use htmlspecialchars to prevent xss.

$string_from_user = htmlspecialchars($_POST['string'], ENT_QUOTES, 'UTF-8');


echo '<input type="text" name="string" value="'.$string_from_user.'">';

Problem is...let's say i want to enter name: john"> My input box now will show: john"> and the real value of input is: john">

How to make to show my input box to show: john"> but the real value to be an safe string to prevent xss

SOLVED

It seems there was another FILTER_SANITIZE_STRING on my code that i didn't noticed. I removed and now everything works very well.

/* this caused by problems.
$string = filter_input(INPUT_POST, 'string', FILTER_SANITIZE_STRING);
*/

$string_from_user = htmlspecialchars($string, ENT_QUOTES, 'UTF-8');

echo '<input type="text" name="string" value="'.$string_from_user.'">';

Answer 1

Use htmlspecialchars_decode

http://php.net/manual/en/function.htmlspecialchars-decode.php refer to the manual for information on usage.

Answer 2

You should use

$name=htmlentities($name);
echo $name;

htmlentities will be converted which you can view it in the pagesource of the page but to the end user it will appear clean

Answer 3

look at this library i think its more powerfull for you

OWASP's antiXSS specific library is at: http://code.google.com/p/php-antixss/

Answer 4

It seems there was another FILTER_SANITIZE_STRING on my code that i didn't noticed. I removed and now everything works very well.

/* this caused by problems.
$string = filter_input(INPUT_POST, 'string', FILTER_SANITIZE_STRING);
*/

$string_from_user = htmlspecialchars($string, ENT_QUOTES, 'UTF-8');

echo '<input type="text" name="string" value="'.$string_from_user.'">';