search
Homephp教程php手册htmlentities和htmlspecialchars 的区别详解

htmlentities和htmlspecialchars 的区别详解

Mar 16, 2017 pm 02:57 PM
htmlentitieshtmlspecialchars

很多人都以为htmlentities跟htmlspecialchars的功能是一样的,都是格式化html代码的,我以前也曾这么认为,但是今天我发现并不是这样的。

The translations performed are:

代码如下:

'&' (ampersand) becomes '&' 
'"' (double quote) becomes '"' when ENT_NOQUOTES is not set. 
''' (single quote) becomes ''' only when ENT_QUOTES is set. 
&#39;<&#39; (less than) becomes &#39;<&#39; 
&#39;>&#39; (greater than) becomes &#39;>&#39;

htmlspecialchars 只转化上面这几个html代码,而 htmlentities 却会转化所有的html代码,连同里面的它无法识别的中文字符也给转化了。 我们可以拿一个简单的例子来做比较:

代码如下:

$str=&#39;<a href="test.html">测试页面</a>&#39;; 
echo htmlentities($str); 
// <a href="test.html">²âÊÔÒ³Ãæ</a> 
$str=&#39;<a href="test.html">测试页面</a>&#39;; 
echo htmlspecialchars($str); 
// <a href="test.html">测试页面</a>


结论是,有中文的时候,最好用 htmlspecialchars ,否则可能乱码

另外参考一下这个自定义函数

代码如下:

function my_excerpt( $html, $len ) { 
// $html 应包含一个 HTML 文档。 
// 本例将去掉 HTML 标记,javascript 代码 
// 和空白字符。还会将一些通用的 
// HTML 实体转换成相应的文本。 
$search = array ("&#39;<script[^>]*?>.*?</script>&#39;si", // 去掉 javascript 
"&#39;<[\/\!]*?[^<>]*?>&#39;si", // 去掉 HTML 标记 
"&#39;([\r\n])[\s]+&#39;", // 去掉空白字符 
"&#39;&(quot|#34);&#39;i", // 替换 HTML 实体 
"&#39;&(amp|#38);&#39;i", 
"&#39;&(lt|#60);&#39;i", 
"&#39;&(gt|#62);&#39;i", 
"&#39;&(nbsp|#160);&#39;i", 
"&#39;&(iexcl|#161);&#39;i", 
"&#39;&(cent|#162);&#39;i", 
"&#39;&(pound|#163);&#39;i", 
"&#39;&(copy|#169);&#39;i", 
"&#39;(\d+);&#39;e"); // 作为 PHP 代码运行 
$replace = array ("", 
"", 
"\\1", 
"\"", 
"&", 
"<", 
">", 
" ", 
chr(161), 
chr(162), 
chr(163), 
chr(169), 
"chr(\\1)"); 
$text = preg_replace ($search, $replace, $html); 
$text = trim($text); 
return mb_strlen($text) >= $len ? mb_substr($text, 0, $len) : &#39;&#39;; 
}

htmlspecialchar()函数和htmlentities()函数类似都是把html代码转换,htmlspecialchars_decode是把转化的html的编码转换成转换回来。

我们可以拿一个简单的例子来做比较:

代码如下:

$str=&#39;<a href="test.html">测试</a>&#39;; 
$transstr = htmlspecialchars($str) ; 
echo $transstr . "<br />"; 
echo htmlspecialchars_decode($transstr)";

运行上面的代码,就可以看出两者的差别了。

一直都知道 PHP 中的 htmlentities 和 htmlspecialchars 函数都能把 html 中的特殊字符转换成对应的 character entity (不知道怎么翻译),也一直都知道 htmlentities 和 htmlspecialchars 函数有区别,但是一直都用不到这两个函数,也就没去研究过到底有什么区别。

今天用到了,懒得看 PHP 手册里的鸟语,觉得这种问题应该会有人用中文写过,于是 Google 关键词“htmlentities htmlspecialchars”,答案千篇一律。我已经司空见惯了,复制粘贴连小学生都会。经过对比发现,每篇文章大概都包含两部分:

第一部分是引用 PHP 手册的说明:

PHP 手册中对 htmlspecialchars 写道:

The translations performed are:

代码如下:

‘&&#39; (ampersand) becomes ‘&&#39; 
‘"&#39; (double quote) becomes ‘"&#39; when ENT_NOQUOTES is not set. 
”&#39; (single quote) becomes ‘&#39;&#39; only when ENT_QUOTES is set. 
‘<&#39; (less than) becomes ‘<&#39; 
‘>&#39; (greater than) becomes ‘>&#39;

这部分无可厚非,但是第二部分的解释却并不怎么正确:

htmlspecialchars 只转化上面这几个html代码,而 htmlentities 却会转化所有的html代码,连同里面的它无法识别的中文字符也给转化了。

我们可以拿一个简单的例子来做比较:

代码如下:

结论是,有中文的时候,最好用 htmlspecialchars ,否则可能乱码。

难道 htmlentities 函数只有一个参数吗?

当然不是!htmlentities 还有三个可选参数,分别是 $quote_style、 $charset、 $double_encode,手册对 $charset 参数是这样描述的:

Defines character set used in conversion. The default character set is ISO-8859-1.

从上面程序输出的结果判断,$str 是 GB2312 编码的,“测试页面”几个字对应的十六进制值是:

B2 E2 CA D4 D2 B3 C3 E6

然而却被当成 ISO-8859-1 编码来解析:

²âÊÔÒ³Ãæ

正好对应 HTML character entity 里的:

²âÊÔÒ³Ãæ 

当然会被 htmlentities 转义掉,但是只要加上正确的编码作为参数,根本就不会出现所谓的中文乱码问题:

$str=&#39;<a href="test.html">测试页面</a>&#39;; 
echo htmlentities($str, ENT_COMPAT, &#39;gb2312&#39;); 
// <a href="test.html">测试页面</a>三人成虎,以讹传讹。

结论:htmlentities 和 htmlspecialchars 的区别在于 htmlentities 会转化所有的 html character entity,而htmlspecialchars 只会转化手册上列出的几个 html character entity (也就是会影响 html 解析的那几个基本字符)。一般来说,使用 htmlspecialchars 转化掉基本字符就已经足够了,没有必要使用 htmlentities。实在要使用 htmlentities 时,要注意为第三个参数传递正确的编码。

Statement
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn

Hot AI Tools

Undresser.AI Undress

Undresser.AI Undress

AI-powered app for creating realistic nude photos

AI Clothes Remover

AI Clothes Remover

Online AI tool for removing clothes from photos.

Undress AI Tool

Undress AI Tool

Undress images for free

Clothoff.io

Clothoff.io

AI clothes remover

Video Face Swap

Video Face Swap

Swap faces in any video effortlessly with our completely free AI face swap tool!

Hot Tools

MantisBT

MantisBT

Mantis is an easy-to-deploy web-based defect tracking tool designed to aid in product defect tracking. It requires PHP, MySQL and a web server. Check out our demo and hosting services.

EditPlus Chinese cracked version

EditPlus Chinese cracked version

Small size, syntax highlighting, does not support code prompt function

SublimeText3 Chinese version

SublimeText3 Chinese version

Chinese version, very easy to use

ZendStudio 13.5.1 Mac

ZendStudio 13.5.1 Mac

Powerful PHP integrated development environment

SecLists

SecLists

SecLists is the ultimate security tester's companion. It is a collection of various types of lists that are frequently used during security assessments, all in one place. SecLists helps make security testing more efficient and productive by conveniently providing all the lists a security tester might need. List types include usernames, passwords, URLs, fuzzing payloads, sensitive data patterns, web shells, and more. The tester can simply pull this repository onto a new test machine and he will have access to every type of list he needs.