How can I make sure that the array values are htmlencoded when using print_r and var_dump?

Question

<?php 

$x = array("<b>","<i>","b","i","<h1>hello</h1>");
print_r ($x);
echo "<hr>";
var_dump ($x);

outputs this in the html source!

Array
(
    [0] => <b>
    [1] => <i>
    [2] => b
    [3] => i
    [4] => <h1>hello</h1>
)
<hr>array(5) {
  [0]=>
  string(3) "<b>"
  [1]=>
  string(3) "<i>"
  [2]=>
  string(1) "b"
  [3]=>
  string(1) "i"
  [4]=>
  string(14) "<h1>hello</h1>"
}

Obviously, I could have been XSS'ed by that!

How can I make sure that the array values are htmlencoded?

Answer 1

Indeed the solution with print_r with true is the simplest solution. But I would do:

$ret = htmlentities( print_r( $some_array, true ) )
$ret = str_replace( array("\n"), array('<br>'), $ret );
printf( "<br>Result is: <br>%s<br>", $ret );

But that is up-to you-all.

Answer 2

echo <pre>;
echo htmlspecialchars(print_r($key['value'], true));
echo '</pre>';

I use this code to output an array value (contains adsense code) from no sql database.

Answer 3

A function that works for me is described in this PHP manual comment.

His function that replaces var_dump is implemented as:

function htmlvardump()
{
    ob_start(); 
    $var = func_get_args(); 
    call_user_func_array('var_dump', $var); 
    echo htmlentities(ob_get_clean());
 } 

This works for me in PHP 5.3+.

(Please note that there was a typo in the original source).

Answer 4

While this question has an accepted answer, I think David Morrow's answer is the best/ simplest/ most practical (uses the print_r true flag):

echo "<pre>".htmlentities(print_r($some_array, true))."</pre>";

Never-the-less, here is another solution that uses output buffering:

<?php

ob_start();
print_r($some_array);
$buffer = ob_get_clean();
echo "<pre>".htmlentities($buffer)."</pre>";

?>

Answer 5

Or you could just save the print_r to a string and then escape it using the second parameter set to true.

$arr = array('<script>alert("hey");</script>');
$str = print_r($arr, true);
echo htmlentities($str);

outputs:

Array
(
   [0] => <script>alert("hey");</script>
)

script is not executed

Answer 6

I found this page very helpful, but I did modify the functions to be recursive, the walker handler function checks for an array at the value after echoing the key, and then calls back the original function on that array. I think this makes it a true 'recursive htmlentity function hence the new name...

function htmlentities_print_r( $inputarray ) {

    echo "<pre>" ;

         array_walk( $inputarray , "html_encoder" ) ;

    echo "</pre>";

}

function html_encoder($current_val,$current_key){

    echo "['" , htmlentities($current_key, ENT_QUOTES, "UTF-8") , "']", " => ";

    if ( is_array( $current_val ) ) {

        blp_print_r( $current_val ) ;

    } else {

        echo htmlentities($current_val, ENT_QUOTES, "UTF-8") , "\n";

    }
}

Answer 7

A simple solution would be to use array_walk_recursive:

array_walk_recursive($inputarray, function(&$v) { $v = htmlspecialchars($v); });

Answer 8

I found that knittl's code does not work. I had to make some small changes to get it to work as follows:

array_walk_recursive($inputarray, function(&$v) { $v = htmlspecialchars($v); });

Now this works fine in PHP5.3+

Answer 9

Thanks to Knittl, here is What I came up with. works the way I wanted!

<?php 


$x = array("tag1" => "<b>","tag2" => "<i>","tag3" => "b","tag4" => "i","tag5" => "<h1>hello</h1>");

echo "<hr><pre>";
blp_print_r ($x);
echo "<hr>";
print_r($x);
echo "</pre><hr>"; 

/*

outputs this in the browser normal view

new one... 

Array
(
        ['tag1'] => <b>
        ['tag2'] => <i>
        ['tag3'] => b
        ['tag4'] => i
        ['tag5'] => <h1>hello</h1>
)


traditional one...

Array
(
    [tag1] => 
    [tag2] => 
    [tag3] => b
    [tag4] => i
    [tag5] => 
hello


)

*/



function blp_print_r($inputarray){
    echo "Array\n(\n";
    echo "<blockquote>";
    array_walk($inputarray,"html_encoder");
    echo "</blockquote>";
    echo ")";
}

function html_encoder($current_val,$current_key){

    echo "['" , htmlentities($current_key, ENT_QUOTES, "UTF-8") , "']", " => ";
    echo htmlentities($current_val, ENT_QUOTES, "UTF-8") , "\n";
}

?>