Escape special characters the same way in all PHP versions

The `htmlspecialchars()` function is used to escape arbitrary text strings for display.

Original the default for the `$flags` parameter of that function in PHP was `ENT_COMPAT`, which translates to "convert double quotes to `"` and leave single quotes alone".

As of PHP 8.1, the default value for the `$flags` parameter has been made more robust and was changed to `ENT_QUOTES | ENT_SUBSTITUTE | ENT_HTML401`, which translates to "convert both double and single quotes, replace invalid code unit sequences with a Unicode Replacement Character and treat code as HTML 4.01".

For code to provide the same/predictable output cross-version PHP, the `$flags` parameter should be explicitly set and what with the new default value being the more robust one, this commit adds that value for `$flags` in all instances of function calls to `htmlspecialchars()`.

Once the application minimum PHP version is PHP 8.1 or higher, the parameter can be removed again (as the value will then be the same as the default parameter value).

Ref: https://www.php.net/manual/en/function.htmlspecialchars.php

examples/mailing_list.phps

@@ -51,7 +51,10 @@ foreach ($result as $row) {
     try {
         $mail->addAddress($row['email'], $row['full_name']);
     } catch (Exception $e) {
-        echo 'Invalid address skipped: ' . htmlspecialchars($row['email']) . '<br>';
+        printf(
+            'Invalid address skipped: %s<br>',
+            htmlspecialchars($row['email'], ENT_QUOTES | ENT_SUBSTITUTE | ENT_HTML401)
+        );
         continue;
     }
     if (!empty($row['photo'])) {
@@ -66,8 +69,11 @@ foreach ($result as $row) {
 
     try {
         $mail->send();
-        echo 'Message sent to :' . htmlspecialchars($row['full_name']) . ' (' .
-            htmlspecialchars($row['email']) . ')<br>';
+        printf(
+            'Message sent to : %s (%s)<br>',
+            htmlspecialchars($row['full_name'], ENT_QUOTES | ENT_SUBSTITUTE | ENT_HTML401),
+            htmlspecialchars($row['email'], ENT_QUOTES | ENT_SUBSTITUTE | ENT_HTML401)
+        );
         //Mark it as sent in the DB
         mysqli_query(
             $mysql,
@@ -75,7 +81,11 @@ foreach ($result as $row) {
             mysqli_real_escape_string($mysql, $row['email']) . "'"
         );
     } catch (Exception $e) {
-        echo 'Mailer Error (' . htmlspecialchars($row['email']) . ') ' . $mail->ErrorInfo . '<br>';
+        printf(
+            'Mailer Error (%s) %s<br>',
+            htmlspecialchars($row['email'], ENT_QUOTES | ENT_SUBSTITUTE | ENT_HTML401),
+            $mail->ErrorInfo
+        );
         //Reset the connection to abort sending this message
         //The loop will continue trying to send to the rest of the list
         $mail->getSMTPInstance()->reset();

examples/send_file_upload.phps

@@ -54,7 +54,7 @@ if (array_key_exists('userfile', $_FILES)) {
         <input type="submit" value="Send File">
     </form>
 <?php } else {
-    echo htmlspecialchars($msg);
+    echo htmlspecialchars($msg, ENT_QUOTES | ENT_SUBSTITUTE | ENT_HTML401);
 } ?>
 </body>
 </html>

examples/send_multiple_file_upload.phps

@@ -54,7 +54,7 @@ if (array_key_exists('userfile', $_FILES)) {
         <input type="submit" value="Send Files">
     </form>
 <?php } else {
-    echo htmlspecialchars($msg);
+    echo htmlspecialchars($msg, ENT_QUOTES | ENT_SUBSTITUTE | ENT_HTML401);
 } ?>
 </body>
 </html>

get_oauth_token.php

@@ -178,5 +178,5 @@ if (!isset($_GET['code'])) {
     );
     //Use this to interact with an API on the users behalf
     //Use this to get a new access token if the old one expires
-    echo 'Refresh Token: ', htmlspecialchars($token->getRefreshToken());
+    echo 'Refresh Token: ', htmlspecialchars($token->getRefreshToken(), ENT_QUOTES | ENT_SUBSTITUTE | ENT_HTML401);
 }