Something is unescaping all html entities before output to browser [closed]

This was a case of UTF-8 character encoding taking over the presentational view of your browser and converting those HTML entities into their counter parts, human readable text.

After all, you might have very well wanted a string that looked like; "BLA for some reason or another to the eyes of your viewer instead of "BLA.

From a security perspective such input, especially if its coming in the form of user-generated data (unescaped), poses a great risk, so we have functions like,

htmlentities       //Native PHP function
htmlspecialchars   //Native PHP function
esc_html           //WordPress API function
esc_attr           //WordPress API function

…to take care of business an encode and also decode input according to our needs.

In fact both htmlspecialchars_decode and html_entity_decode and others do reveal some interesting things about the way in which strings can be handled.

Strings in 'single quotes' are treated differently than strings in "double quotes".

I encourage you to read PHP’s documents on String Types as well as,

Because they really do give some great insight to the topic at hand.

Now beyond that I recommend reading,

Which exposes the WordPress APIs functions for much of the above and more.

When you take a look under the hood, like you mentioned by View Page Source, you actually get to see the real workings of how PHP and WordPress are processing the data, which as mentioned above was obfuscated from your view because WordPress was enforcing UTF-8 character encoding and in the functions shown in your original post, htmlspecialchars was being used in a stock standard fashion without passing any extra parameters along with said function which may have produced different results and somewhat less frustrating too 😉

Take a look at the following and the way in which they handle output when you are viewing the source via “View Page Source;

    $string = '"XSS"';

    echo htmlspecialchars($string);  
    //output -> "XSS"
    //converts double quotes, but also converts existing html entities
    //specifiy double_encode = false to prevent double encoding of entities
    //wordpress preferred method is esc_attr($string) (does not double encoding)

    echo htmlspecialchars_decode($string);
    //outputs -> "XSS"
    //decodes special char " back to " (double quote) 
    //default formatting is ENT_COMPAT which only converts double quotes not single

    echo htmlspecialchars_decode($string, ENT_NOQUOTES); 
    //output -> "XSS"
    //ignores decoding for special chars ' (single) and " (double) quotes

    echo htmlspecialchars_decode($string, ENT_QUOTES); 
    //outputs -> "XSS"
    //decodes special char " back to " (double quote)

    echo htmlentities($string, ENT_NOQUOTES);
    //output -> "XSS"

    echo htmlentities($string, ENT_COMPAT);
    //output -> "XSS"

    echo esc_attr($string);
    //output -> "XSS"
    //encoding "UTF-8"

    $stringed = "\x8F!!\"!";

    echo htmlentities($stringed, ENT_QUOTES);
    //output -> ?!!"!  (notice ? character)
    //PHP < 5.4 defaults encoding to "ISO-8859-1"
    //PHP >= 5.4 defaults encoding to "UTF-8"

    echo htmlentities($stringed, ENT_QUOTES | ENT_IGNORE, "UTF-8");
    //output -> !!&quot;!
    //ENT_IGNORE prevents an otherwise empty string being returned (potential security risk)

    echo htmlentities($stringed, ENT_QUOTES, "UTF-8");
    //returns an empty string

    echo html_entity_decode($stringed, ENT_QUOTES | ENT_IGNORE);
    //output -> ?!!"!   (notice ? character)
    //PHP < 5.4 defaults encoding to "ISO-8859-1"
    //PHP >= 5.4 defaults encoding to "UTF-8"

    echo esc_attr($stringed);
    //returns an empty string
    //encoding "UTF-8"

So while all that is going on under the hood, in source, this is what you would have been seeing for each one of those functions when viewed in the browser.

enter image description here

I wrote this in the event that it might help others who encounter similar, what appears first to be a problem, but actually is not when you understand what is doing what.

Related Posts:

  1. Should I escape wordpress functions like the_title, the_excerpt, the_content
  2. From a security standpoint, should bloginfo() or get_bloginfo() be escaped?
  3. What is the difference between esc_html filter vs attribute_escape filter?
  4. What’s the difference between esc_* functions?
  5. What to use instead of wp_kses() in user output
  6. How to escape custom css?
  7. Do you need to escape hard coded plain text?
  8. Do I need to use the esc_html() function on hard coded links?
  9. How Could I sanitize the receive data from this code
  10. Do we need to escape data that we receive from theme options?
  11. should I escape a literal url added in functions.php
  12. how to sanitizing $_POST with the correct way?
  13. what is a auth_user_file.txt?
  14. Is moving wp-config outside the web root really beneficial?
  15. Can I Prevent Enumeration of Usernames?
  16. Best way to eliminate xmlrpc.php?
  17. If a hacker changed the blog_charset to UTF-7 does that make WordPress vulnerable to further attacks?
  18. Should I remove install.php and install-helper.php?
  19. How do I technically prove that WordPress is secure?
  20. Which KSES should be used and when?
  21. How can I easily verify a core or plugin update has not broken anything?
  22. Disable comment windows for all existing posts (pages/blogposts)
  23. Generate WordPress salt
  24. Vanilla WordPress install, what can/should I put in disable_functions?
  25. Stop wordpress automatically escaping $_POST data
  26. Secure my “add_settings_field” translation?
  27. how can i embed wordpress backend in iframe
  28. Handling nonces for actions from guests to logged-in users
  29. WordPress Logout Only If User Click Logout or If User Delete Browser History
  30. Can I force a password change?
  31. wp_insert_post disable HTML filter
  32. What is pclzip.lib.php file that wordfence think it’s a malicious code
  33. How to disable XML-RPC from Linux command-line in a total way?
  34. How to remove javascript malware in wordpress site [closed]
  35. Completely remove the author url
  36. Securing my WordPress Files and Directories
  37. Restricting access to content
  38. About WordPress site security
  39. Single sign-on: wp_authenticate_user vs wp_authenticate
  40. How to allow internal links using wp_kses filtration
  41. How does Cross Site Scripting (XSS) work exactly? [closed]
  42. How does the “authentication unique keys and salts” feature work?
  43. vs WordPress Security
  44. esc_html__ security : what for in this example?
  45. Escape when echoed
  46. wp-config.php being written by attacker
  47. Definitive wordpress directory ownership and permissions on linux
  48. XML-RPC errors they know my username?
  49. Is [admin / admin] acceptable for all local websites?
  50. wordpress website host price and security [closed]
  51. Are there security risks in working directly in the themes folder that builds into a theme folder?
  52. Are un-sanitized theme options more vulnerable to malicious scripts than the theme editor?
  53. Secure WordPress: Change admin
  54. Changing the default header name
  55. how much information can we hide when using wordpress cms?
  56. Wordfence detects change in wp-admin/includes/upgrade.php
  57. Basic password protection without using users and roles
  58. System setting changed by system user
  59. Does meta-data need to be sanitized?
  60. Will there be security updates for WordPress 4.9.9
  61. How to escape multiple attribute at once in WordPress?
  62. On new server, site got hacked, permissions a bit strange? Please help
  63. Are SVG image files safe to upload? Why WP defines them as a security risk? [duplicate]
  64. Restrict Access without Creating Users
  65. How to obfuscate wp-config.php or code
  66. Security issue with ‘paged’ and ‘posts_per_page’ parameters taken directly from a POST request?
  67. How to prevent to direct access of my custom plugin folder/files
  68. Checking for origin of a xmlrpc request
  69. RESTRICT EDIT of PHP files?
  70. wp-content – permissions for files/folders created by apache
  71. How can I restrict access to specific parts of a page, not just the page itself?
  72. User generated content and security
  73. Are major WordPress updates mandatory for security?
  74. i moved wp-config.php outside of public html and this broke my website
  75. Monitor wordpress all external calls
  76. Is it safe to use the basic administration with reduced rights for private member space
  77. Securing WordPress running on Azure platform
  78. Verifying that I have fully removed a WordPress hack?
  79. Spam Registrations
  80. How can I have more confidence that WP plugins aren’t getting and storing user data?
  81. Standard Method for Securing a WordPress Site
  82. wordpress security (only one part of the site)
  83. Avoid ‘uploads’ 777 permissions: Potential threat or clean solution?
  84. Any way to disable /wp-login.php redirecting to the site folder?
  85. Folder Permissions + Security Concerns
  86. Malware/Permission bug removal?
  87. Could a user account with a stolen password compromised entire WP site?
  88. Step by Step Instructions for Making Media/Uploads Private to Only Logged-In Users
  89. Secure a WordPress website in 2019: one plugin or a combinations of them?
  90. What are the different types of firewall protections available for a WordPress website?
  91. Run a security scan on WordPress site that has .htaccess password [closed]
  92. Is this a WordPress security bug?
  93. Competitor is somehow accessing MetaData on a hidden WordPress site
  94. WordPress Hacks/Defacing [closed]
  95. Directory to store secure file
  96. How can I give someone server access to only duplicate and modify a site?
  97. How can I implement ansible with per-host passwords, securely?
  98. Why should I firewall servers?
  99. Does drilling a hole into a hard drive suffice to make its data unrecoverable?
  100. Can you alter the default wordpress strong password requirements?