General developer forum

Well,

it seems that the only reason to use htmlentities() in a lot of places is to be able to show characters OUT of the charset specified in the http charset, isn't?

For example, to write some Cyrillic (WINDOWS-1251) chars inside this ISO-8859-1 page, they have to be written as html entities. So, in this case, htmlentities() leaves things unmodified, because the text has been sent, stored and displayed using html entities, isn't it? If it leaves things unmodified, it isn't necessary in this case, is it?

The problem arrives when one Russian moodler (whose charset is WINDOWS-1251) is writing the text in this page. Then, the page is sent and stored to DB in that charset and, before being showed, it's filtered by htmlentities() that, simply, breaks it, both for other moodlers using ISO-8859-1 (because the encoding is incompatible) and for the same moodler using WINDOWS-1251) because htmlentities(), as is used currently, breaks non-iso encodings.

This can be solved by one of this:

- Use htmlentities($text, ENT_COMPAT, 'windows-1251') or
- Use htmlspecialchars($text)

The first will allow any user (using any charset) to see the text properly (because the text is converted to html charset-independant entities).

The second will allow WINDOWS-1251 users (only!) to see the text properly (without any conversion) simply because both text and page encoding match.

As Skodak said two posts above, we have to use htmlentities() because we don't know how the text (encoding) has been entered originally so, it's impossible to know the correct charset to specify in the htmlentities() call.

Anyway, there are at least two situations when we are really sure of the encoding used to write text:

- When $CFG->unicode is enabled. Every page is forced to UF-8.
- When $CFG->courselang is set. Every page inside a course is forced to the encoding used by the lang variable.

Thinking in the future (that wonderful UFT-8 world), I was thinking about change all those htmlentities() calls to some sort of $textlib->htmlentities() function (I have added the initial version of textlib some hours ago to CVS).

This function will detect if $CFG->unicode is enabled or if $CFG->courselang is defined. With any of them present, it will apply the htmlspecialchars() function (because the charset is forced, information will be displayed properly always). For the rest, the standard htmlentities() will be used, trying to convert as many chars as possible but knowing that it won't be perfect always. By doing this, we'll allow sites running under$ CFG->unicode and course with the lang (and charset) forced to run properly, leaving things unmodified for the rest.

In some months, everybody will be running UTF-8 (forced) so, the previous approach will continue working smoothly (without the need of convert to html-entities anymore).

Coming back to my original question, I wanted to know if there was any reason preventing me to use hmlspecialchars() as described above everywhere (some place where the conversion to entities is mandatory, security, url encoding...).

This is the full story!

Ciao

PD: Also, finally, to make things a bit more complex, I only have tested htmlspecialchars() under iso-88591, windows-1251 and utf-8 (latin characters only), so it would be great to get some feedback about how such function is working under REAL non-iso-8859-1 chars (I've done some basic tests under Vietnamese and Chinese and, visually, htmlspecialchars() seems to work fine always). Any native confirmation will be welcome. Sure!