Use htmlspecialchars instead of htmlentities for the html_input…

… option That will make the HTML output much simpler and easier to read, and also more compact. See https://fr.reddit.com/r/PHP/comments/4qbf4g/improving_handling_of_untrusted_html_input_in/d4te6ms?context=3
thephpleague · Jun 30, 2016 · 2326168 · 2326168
1 parent 2bf7847
commit 2326168
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 2 deletions.
diff --git a/src/Block/Renderer/HtmlBlockRenderer.php b/src/Block/Renderer/HtmlBlockRenderer.php
@@ -51,7 +51,7 @@ public function render(AbstractBlock $block, ElementRendererInterface $htmlRende
         }
 
         if ($this->config->getConfig('html_input') === Environment::HTML_INPUT_ESCAPE) {
-            return htmlentities($block->getStringContent(), ENT_NOQUOTES);
+            return htmlspecialchars($block->getStringContent(), ENT_NOQUOTES);
         }
 
         return $block->getStringContent();

diff --git a/src/Inline/Renderer/HtmlInlineRenderer.php b/src/Inline/Renderer/HtmlInlineRenderer.php
@@ -50,7 +50,7 @@ public function render(AbstractInline $inline, ElementRendererInterface $htmlRen
         }
 
         if ($this->config->getConfig('html_input') === Environment::HTML_INPUT_ESCAPE) {
-            return htmlentities($inline->getContent(), ENT_NOQUOTES);
+            return htmlspecialchars($inline->getContent(), ENT_NOQUOTES);
         }
 
         return $inline->getContent();