I need to use htmlspecialchars but it only accepts the address of the file, can I make it accept the code and not the address?
return "<script src='" . htmlspecialchars('static/functions.js', ENT_QUOTES, 'utf-8') . "'" . nonce() . "></script>n";
function nonce() {
return ' nonce="' . get_nonce() . '"';
}
function get_nonce() {
static $nonce;
if (!$nonce) {
$nonce = base64_encode(rand_string());
}
return $nonce;
}
Advertisement
Answer
The HTML <script src= is going to fetch a resource and run it, from wherever you have specified in the src attribute. It’s expecting a URL.
The htmlspecialchars( function is expecting a string, and will return a string.
The way you have it right now, it will take the string "static/functions.js" and process it.
Your question suggests you want it to operate on the contenst of the file. This is techncially possible, but the file has to be fetched first.
htmlspecialchars( file_get_contents(__DIR__ . 'static/functions.js') )
But that still seems odd. You want to convert all the encoded special characters in your JavaScript file to their HTML entities? Like < to <? That’s almost surely going to make the JavaScript invalid.
Even if it didn’t ruin your JavaScript, you’d still be trying to take the contents of that file and putting them in the src property of the script tag, which is expecting a URL.
Overall this seems like you need to step back and think about what exactly you’re trying to accomplish.
Edit for OP question in comments
<div>
<span>Some regular HTML content</span>
</div>
<script>
<?php
// we're now in PHP, about to store some JavaScript as a string
$js = <<<EOD
console.log("I am a JavaScript console message!");
console.log("Me too!");
EOD; // note this can't be indentend or spaced, it has to be flush left
// we can 'echo' the JavaScript directly into the HTML
echo $js;
?>
</script>