From 57ef8c914f78741e359f0cffe679d87c6ce46ccc Mon Sep 17 00:00:00 2001 From: jrfnl Date: Mon, 24 Nov 2025 10:48:09 +0100 Subject: [PATCH] Escape special characters the same way in all PHP versions The `htmlspecialchars()` function is used to escape arbitrary text strings for display. Original the default for the `$flags` parameter of that function in PHP was `ENT_COMPAT`, which translates to "convert double quotes to `"` and leave single quotes alone". As of PHP 8.1, the default value for the `$flags` parameter has been made more robust and was changed to `ENT_QUOTES | ENT_SUBSTITUTE | ENT_HTML401`, which translates to "convert both double and single quotes, replace invalid code unit sequences with a Unicode Replacement Character and treat code as HTML 4.01". For code to provide the same/predictable output cross-version PHP, the `$flags` parameter should be explicitly set and what with the new default value being the more robust one, this commit adds that value for `$flags` in all instances of function calls to `htmlspecialchars()`. Once the application minimum PHP version is PHP 8.1 or higher, the parameter can be removed again (as the value will then be the same as the default parameter value). Ref: https://www.php.net/manual/en/function.htmlspecialchars.php --- examples/mailing_list.phps | 18 ++++++++++++++---- examples/send_file_upload.phps | 2 +- examples/send_multiple_file_upload.phps | 2 +- get_oauth_token.php | 2 +- 4 files changed, 17 insertions(+), 7 deletions(-) diff --git a/examples/mailing_list.phps b/examples/mailing_list.phps index a3aa9d4d..9eb05d63 100644 --- a/examples/mailing_list.phps +++ b/examples/mailing_list.phps @@ -51,7 +51,10 @@ foreach ($result as $row) { try { $mail->addAddress($row['email'], $row['full_name']); } catch (Exception $e) { - echo 'Invalid address skipped: ' . htmlspecialchars($row['email']) . '
'; + printf( + 'Invalid address skipped: %s
', + htmlspecialchars($row['email'], ENT_QUOTES | ENT_SUBSTITUTE | ENT_HTML401) + ); continue; } if (!empty($row['photo'])) { @@ -66,8 +69,11 @@ foreach ($result as $row) { try { $mail->send(); - echo 'Message sent to :' . htmlspecialchars($row['full_name']) . ' (' . - htmlspecialchars($row['email']) . ')
'; + printf( + 'Message sent to : %s (%s)
', + htmlspecialchars($row['full_name'], ENT_QUOTES | ENT_SUBSTITUTE | ENT_HTML401), + htmlspecialchars($row['email'], ENT_QUOTES | ENT_SUBSTITUTE | ENT_HTML401) + ); //Mark it as sent in the DB mysqli_query( $mysql, @@ -75,7 +81,11 @@ foreach ($result as $row) { mysqli_real_escape_string($mysql, $row['email']) . "'" ); } catch (Exception $e) { - echo 'Mailer Error (' . htmlspecialchars($row['email']) . ') ' . $mail->ErrorInfo . '
'; + printf( + 'Mailer Error (%s) %s
', + htmlspecialchars($row['email'], ENT_QUOTES | ENT_SUBSTITUTE | ENT_HTML401), + $mail->ErrorInfo + ); //Reset the connection to abort sending this message //The loop will continue trying to send to the rest of the list $mail->getSMTPInstance()->reset(); diff --git a/examples/send_file_upload.phps b/examples/send_file_upload.phps index 31d22837..8c6ec070 100644 --- a/examples/send_file_upload.phps +++ b/examples/send_file_upload.phps @@ -54,7 +54,7 @@ if (array_key_exists('userfile', $_FILES)) { diff --git a/examples/send_multiple_file_upload.phps b/examples/send_multiple_file_upload.phps index aeb65c14..e892ecb5 100644 --- a/examples/send_multiple_file_upload.phps +++ b/examples/send_multiple_file_upload.phps @@ -54,7 +54,7 @@ if (array_key_exists('userfile', $_FILES)) { diff --git a/get_oauth_token.php b/get_oauth_token.php index 0e54a00b..9342b9c7 100644 --- a/get_oauth_token.php +++ b/get_oauth_token.php @@ -178,5 +178,5 @@ if (!isset($_GET['code'])) { ); //Use this to interact with an API on the users behalf //Use this to get a new access token if the old one expires - echo 'Refresh Token: ', htmlspecialchars($token->getRefreshToken()); + echo 'Refresh Token: ', htmlspecialchars($token->getRefreshToken(), ENT_QUOTES | ENT_SUBSTITUTE | ENT_HTML401); }