CODEWITHSUNDEEP
phphtml
user10362353
user10362353

Reputation:

HTML Option: Displays the value instead of the actual text

So i have some confusion here.

My code is:

<select name="email" id="email_template" style="width:200px;">
<? foreach($order_email as $omail) { ?>
<option value="<?php echo $omail->text; ?>"> <?php echo $omail->headline; ?></option>
                <? } ?>
                </select>

So my issue is that, the option would rather display the value ($omail->text) instead of the text ($omail->headline)

When i make the value empty, it does display the text. But also when i make a smaller input in the value, it also displays.

The value is a big chunck HTML text (formatted) and is about 300 lines.

So i was thinking it would rather display the larger one, or am i wrong here?

Upvotes: 0

Views: 90

Answers (1)

Erik
Erik

Reputation: 3636

The problem is that your value contains html; if you output that "as is" to the page (as you are doing here) then the browser will see the closing signs inside your value, thinks you meant to close the tag, and then treats everything after that as a containing element.

Essentially, you are producing output like this:

<option value="<div>my value</div>" />My expected shown value</option>

But because the div inside the value contains the > symbol, your html is invalid. What you're seeing is the browser trying to render your page and failing. But the real issue is the thing you're trying to use as a value.

Now you could use some html escaping to properly put html inside a value attribute, which would use php's html_entities function and produce something like this:

<option value="&gt;div&lt;my value&gt;/div&lt;" />My expected shown value</option>

But really, the correct way to handle this is by not putting large amounts of html inside a value. That's just asking for trouble. Since the user can freely manipulate what's in there, and your system is accepting that the value is html, you are likely opening your system up to some security related issues.

Also, you're putting extra strain on your server and the browser by sending hundreds of lines of html hidden inside the page and then asking the browser to send them back.

Just send some kind of identifier and keep the html tucked away on your server somewhere. That's safer for everyone.

Upvotes: 1

Related Questions