force html entity to display although encoding is enabled

Question

i couldn't find a relevant question to this, so ill try my luck here. There is a closed source software, written in php that sanitizes html entities (i think using htmlspecialchars();). It is therefore not possible to display entities as  . The software tries to split strings using spaces. Therefore the non-breaking space should not affect the splitting process and i would be able to write string1 string2 and it should be interpreted as one word. Reality is, the sanitizing encodes the non-breaking space and does not allow the interpretation of it.

Is it possible to bypass the sanitizing of a html entity (maybe using an utf8 character) to display the non-breaking space instead of  ?

i only can input string values and dont have the option to modify the source.

Answer 1

There is actually no need of bypass the sanitizing of a html entity. It's there for a purpose.

When you have to use values on server side/other functions you need to decode values again to original values

In Js:

decodeHtml('string1 string2')

Live Example:http://jsfiddle.net/pranavq212/xasjyjtk/1/

function decodeHtml(html) {
    var txt = document.createElement("textarea");
    txt.innerHTML = html;
    return txt.value;
}
document.getElementById('form').onsubmit = function(e) {
    e.preventDefault();
    var input = document.getElementById('input').value;
    var output = decodeHtml(input);
    alert(output);
}

input {
    width: 100%;
    display: block;
}

<form id="form">
    <input type="text" id="input" placeholder="input" value="string1&nbsp;&nbsp;string2">
<input type="submit" value="alert(input)">
</form>

In PHP

htmlspecialchars_decode($str, ENT_NOQUOTES)

Refer this for details: http://php.net/manual/en/function.htmlspecialchars-decode.php

You can also html_entity_decode to convert all HTML entities to their applicable characters.

For usage & detail refer:http://php.net/manual/en/function.html-entity-decode.php