{htmlspecialchars:string}

Description

Escapes the HTML-special characters in a string so the result is safe to print inside HTML page text or an attribute. It is the AA counterpart of PHP htmlspecialchars and converts five characters to their HTML entities: ampersand, less-than, greater-than, double quote, and single quote (apostrophe). All other characters pass through unchanged. See the examples below for the exact entity each one produces. Note that it does NOT skip already-encoded entities, so an existing entity is encoded a second time (double encoding). This command is deprecated and is now just an alias of the safe command: internally both call the same safe() function, so prefer safe in new templates. Use it whenever you place untrusted or user-submitted text into HTML, to prevent broken markup and cross-site scripting.

Parameters

string required default (empty string)

The text to escape. Any HTML-special characters in it are replaced by their HTML entities; everything else is left unchanged. It is usually the output of a field-getter or of another command. An empty value yields an empty string.

Examples

test{htmlspecialchars:a & b}
Expecteda & b
Actuala & b
The command does not detect already-encoded entities. The ampersand of an existing & is escaped again, so & becomes &. The safe command behaves identically here despite older notes to the contrary.
test{htmlspecialchars:5" nail}
Expected5" nail
Actual5" nail
A double quote becomes ", which keeps a value from breaking out of a double-quoted HTML attribute.
test{htmlspecialchars:Ben & "Jerry's" <ice> & cream}
ExpectedBen & "Jerry's" <ice> & cream
ActualBen & "Jerry's" <ice> & cream
A typical real case: one value containing all five specials. In practice you would wrap a field-getter, e.g. {safe:_#FULLTEXT}, since safe is the preferred spelling.
test{htmlspecialchars:Tom & Jerry}
ExpectedTom & Jerry
ActualTom & Jerry
A bare ampersand would start an HTML entity, so it is escaped to &amp;. Everything else is unchanged.
test{htmlspecialchars:it's done}
Expectedit's done
Actualit's done
A single quote becomes &apos;. This install uses HTML5 entities, so it is &apos; (not the numeric &#039; the old PHP default produced).
test{htmlspecialchars:<b>bold</b>}
Expected<b>bold</b>
Actual<b>bold</b>
Less-than and greater-than become &lt; and &gt;, so the tag is shown as text instead of being interpreted as HTML markup.
Deprecated: - use {safe:...} instead
← All expressions