<?php
$x = array("<b>","<i>","b","i","<h1>hello</h1>");
print_r ($x);
echo "<hr>";
var_dump ($x);
outputs this in the html source!
Array
(
[0] => <b>
[1] => <i>
[2] => b
[3] => i
[4] => <h1>hello</h1>
)
<hr>array(5) {
[0]=>
string(3) "<b>"
[1]=>
string(3) "<i>"
[2]=>
string(1) "b"
[3]=>
string(1) "i"
[4]=>
string(14) "<h1>hello</h1>"
}
Obviously, I could have been XSS'ed by that!
How can I make sure that the array values are htmlencoded?
I found that knittl's code does not work. I had to make some small changes to get it to work as follows:
array_walk_recursive($inputarray, function(&$v) { $v = htmlspecialchars($v); });
Now this works fine in PHP5.3+