PHP encoding the POST input

Question

I have a PHP code as shown below in which on POST call, I am getting encrypted value instead of the character. For example, on entering Hello World' I get this Hello World&#39; instead of Hello World' on console (from Line Z).

In the form_validator.php, I am using the following:

if (isset($_POST["response"]))
    $response = $_POST["response"];
print_r($response);

In the form.php, I have the following code:

<form id="acbdef" name="abcdef" action="#" method="post">
  <table width="100%" class="wb-tables table">
    <tr>
      <td>
        <?php echo SECRET_RESPONSE;?>:
      </td>
      <td colspan="2"><input type="text" id="response" name="response" value="" /></td>
    </tr>
  </table>
</form>

<script>
  $("#save").click(function () {
    $.post('form_validator.php', $("#abcdef").serialize(), function (data) {
      console.log(data); // Line Z
    });// end function(data)
  });
</script>

In the config.php, I have the following:

$_GET = filter_input_array(INPUT_GET, FILTER_SANITIZE_STRING);
$_POST = filter_input_array(INPUT_POST, FILTER_SANITIZE_STRING);
$_REQUEST = (array) $_POST + (array) $_GET + (array) $_REQUEST;

Problem Statement :

I am wondering what changes I need to make in the php code above so that it takes the character itself instead of HTML coded apostrophe.

Answer 1

You seems to be serializing the input. In jquery before you send it to your php. You will need to decode it before you print it.

Check out https://www.php.net/manual/en/function.html-entity-decode as a place to start

Answer 2

The problem is in your config.php where you have the following line:

$_POST = filter_input_array(INPUT_POST, FILTER_SANITIZE_STRING);

This will HTML-encode single and double quotes in the input, as defined in chapter Sanitize filters:

FILTER_SANITIZE_STRING

Strip tags and HTML-encode double and single quotes, optionally strip or encode special characters. Encoding quotes can be disabled by setting FILTER_FLAG_NO_ENCODE_QUOTES. (Deprecated as of PHP 8.1.0, use htmlspecialchars() instead.)

If you don't want to convert any single or double quotes in their respective HTML-encoded strings, then use the flag FILTER_FLAG_NO_ENCODE_QUOTES or don't use the FILTER_SANITIZE_STRING filter (it is deprecated anyway).

Answer 3

@Progman's answer is how to fix your issue with configuration, and covers which argument flags you might want to use.

I wanted to ensure the why was better understood.

Your string is technically not encrypted, rather it has been encoded, it has been transformed to an HTML "safe" equivalent -- using HTML character entities. You can read more about that here https://developer.mozilla.org/en-US/docs/Glossary/Entity

But essentially, the ' has been converted to an HTML entity code &#39. The idea being, it has become safe to embed in an HTML document, without it itself being interpreted as HTML, but as simply text.

It's a very simular concept to escaping strings, only specificly for HTML documents and Web Browsers.

All HTML entities can be represented as there literals or their entity codes. In this case ' can be written literally as ' or as &#39.

Most scripting languages have functions to perform these conversions for you. Such as PHP's html_entity_decode and htmlentities functions.

--

PHP Frameworks. Some frameworks will hook into your $_GLOBALS very early on, as the request is first recieved, and perform basic Sanitization on your request data. If you are using such a framework, perhaps that would explain where the initial encoding is being performed.

The basic idea here, is perhaps, since such conversions are generally needed anyways, for reuse of the request information, why not ensure it is normalized early on, and perhaps stored in any database in such a manner to remain HTML "safe".