Hi, I'm running user-input data through htmlspecialchars before displaying it, but this has the annoying side-effect of screwing up characters from other languages. That's because the special characters are represented by e.g. for the Japanese character 時 the code is 時, but htmlspecialchars explodes this into &#26178 so that when the input is displayed, instead of showing the Japanese character, it shows "時" (and if you "view source" you'll see "&#26178"). One way to get around this would just be to get rid of the ampersand-expansion from htmlspecialchars: str_replace('&', '&', htmlspecialchars($txt)) Code (markup): The question is, is this safe? This wouldn't lead to any sort of backdoor where they could somehow ampersand their way into writing arbitrary html code? Thanks in advance
I think you are being too safe! I think it would cause any problem to exclude the ampersand. Firstly, the ampersand can not do much in SQL injection attack. In what capacity are you using this?