Use htmlspecialchars_decode
http://php.net/manual/en/function.htmlspecialchars-decode.php refer to the manual for information on usage.
Question
I'm trying do a register page, user enter data into input and if that don't match my criteria i want to put his value again in his input box so him don't have to write it again.
I use htmlspecialchars to prevent xss.
$string_from_user = htmlspecialchars($_POST['string'], ENT_QUOTES, 'UTF-8');
echo '<input type="text" name="string" value="'.$string_from_user.'">';
Problem is...let's say i want to enter name: john">
My input box now will show: john">
and the real value of input is: john&#34;>
How to make to show my input box to show: john">
but the real value to be an safe string to prevent xss
SOLVED
It seems there was another FILTER_SANITIZE_STRING on my code that i didn't noticed. I removed and now everything works very well.
/* this caused by problems.
$string = filter_input(INPUT_POST, 'string', FILTER_SANITIZE_STRING);
*/
$string_from_user = htmlspecialchars($string, ENT_QUOTES, 'UTF-8');
echo '<input type="text" name="string" value="'.$string_from_user.'">';
No correct solution
OTHER TIPS
Use htmlspecialchars_decode
http://php.net/manual/en/function.htmlspecialchars-decode.php refer to the manual for information on usage.
You should use
$name=htmlentities($name);
echo $name;
htmlentities will be converted which you can view it in the pagesource of the page but to the end user it will appear clean
look at this library i think its more powerfull for you
OWASP's antiXSS specific library is at: http://code.google.com/p/php-antixss/
It seems there was another FILTER_SANITIZE_STRING on my code that i didn't noticed. I removed and now everything works very well.
/* this caused by problems.
$string = filter_input(INPUT_POST, 'string', FILTER_SANITIZE_STRING);
*/
$string_from_user = htmlspecialchars($string, ENT_QUOTES, 'UTF-8');
echo '<input type="text" name="string" value="'.$string_from_user.'">';