HTML::chars() decode

[ursoforte]

I've been using "HTML::chars($username);" to clean the strings passed in the form.

$values = Arr::map('HTML::chars', $values);

DB::insert('database', array_keys($values))
    ->values($values)
    ->execute();

In data recovery I do this:

    public static function chars_decode($value) {                
        return html_entity_decode($value, ENT_QUOTES, Kohana::$charset);
    }

    $values = Arr::map('HTML::chars_decode', $values);

Thus Remove all characters HTML-escape suspects. To me it seems quite useful. Could the method "chars_decode" is in the core.

[kemo]

I can see no reason to store HTML chars in your db, you're supposed to use that at output, not all the time.

[lenton]

Yes, as @kemo has said, you're supposed to use HTML::chars when outputting unsafe strings not before inserting them into the database. Having encoded strings in your database causes problems such not being able to search the strings in your database properly. Also, what if you wanted to put your data into a JSON file, you would have lots of unwanted HTML encoding in it.

[ursoforte]

great, I did! My idea is to clean the data before storing in the database. Aka @feketegy in http://www.sitepoint.com/php-security-cross-site-scripting-attacks-xss/

it looks like "HTML Purifier" is better for this.

[feketegy]

Use HTML Purifier if you want to preserve HTML in your content, otherwise strip all tags out from it.

[shadowhand]

otherwise strip all tags out from it

even if you strip tags, output should be escaped.