Is it necessary to decode html entities from form input field?

2
votes

I have a form that contains html entities in an input field, something like:

<input type="hidden" name="foo" value="<?php htmlspecialchars($foo) ?>" />

If $foo takes in the value of something like "<b>foo</b>", it seems that when the form is posted to the PHP script, the value of $_POST['foo'] is already decoded...so does that mean I don't need to use htmlspecialchars_decode to convert $_POST['foo'] back to its original form $foo?

Thanks for any inputs on this issue.

1
phpformshtml-entitieshtml-encode
Depends, if $foo is suddenly " onclick="maliciuos code" you have a problem, that's why you encode to entities, to avoid XSS.adeneo
@adeneo, thank you for your comment. Yes, that's true but I was actually referring to the need of decoding the code back to its original form after the encoded input (to avoid XSS) is posted to the php scripttonytz
Is it actually returning the unencoded characters "<" and ">" or is it returning "&lt;" and "&gt;"? If the former, you won't see the HTML tags when printed to the page. If the latter, you will see the tags but when viewing the source of the page you will see the encoded characters.dartonw
it's returning "<" and ">" inside the php script that receives the submit...without any decoding involvedtonytz

1 Answers

1
votes

When it comes to user input, code very defensively. Never make any assumptions. While the initial state may be set by the server, there's nothing stopping someone from manipulating the value of your hidden input to a malicious value. At that point it's on you to handle that value responsibly, so make sure you cover any case that is possible.