Outputting form input if there was an error

Question

So I've always heard and read that you need to sanitize any user input if it's to be output back to html. What I'm wondering is, do I need to sanitize any input that is output if there was an error?

For example, in my form error handling, I have it so the page gets re-displayed with the error message showing and telling the user what went wrong but also outputting their input as the form's value so they don't have to re-type it and they can see where they went wrong. My question is do I need to use htmlspecialchars() to sanitize the user's input when its output as the value of the form field?

Here is what one of my input fields looks like right now.

<label for="email">E-mail Address: <?php if($btnPressed) { checkInput($_POST['email'], true, true); } // Check the validity of the input ?></label>
<input type="text" name="email" id="email" value="<?php if($btnPressed) { echo $_POST['email']; } // Output the user's input if an error occurred ?>" maxlength="50" />

Here is what I think I should be doing.

<label for="email">E-mail Address: <?php if($btnPressed) { checkInput($_POST['email'], true, true); } // Check the validity of the input ?></label>
<input type="text" name="email" id="email" value="<?php if($btnPressed) { echo htmlspecialchars($_POST['email']); } // Output the user's input if an error occurred ?>" maxlength="50" />

Any help is greatly appreciated.

Answer 1

Yes, you need to run the data through htmlspecialchars.

Otherwise you have two major problems.

1. A third party could link (or submit a hidden form with JS (since you are using $_POST they would have to use this approach)) to your site sending whatever data they liked (including "><script...) as the user who visited their attack site.
2. If the user enters a " in their data (either because it is a typo or because their data really does include a " character), it will break when you display it back to them.