PHP: Escapando o HTML

Escapando o HTML

Tudo o que estiver fora das tags PHP é ignorado pelo interpretador, o que permite arquivos PHP de conteúdo misto. Permite que o PHP seja incluído dentro de documentos HTML, para, por exemplo, a criação de templates.


<p>Isto vai ser ignorado pelo PHP e exibido pelo navegador.</p>
<?php echo 'Enquanto isto vai ser interpretado.'; ?>
<p>Isto também vai ser ignorado pelo PHP e exibido no navegador.</p>

Isso funcionará porque quando o interpretador do PHP encontra ?>, a tag de fechamento, ele simplesmente começa a repassar qualquer coisa que encontre (exceto um fim de linha imediato, ver a seção sobre separação de instruções), até que ele encontre outra tag de abertura a não ser que esteja no meio de uma instrução condicional, onde então o interpretador vai determinar o resultado da condicional e assim decidir qual caminho tomar. Veja no próximo exemplo.

Utilizando estruturas avançadas

Exemplo #1 Escape avançado usando condições


<?php if ($expression == true): ?>
  Isto irá aparecer se a expressão for verdadeira.
<?php else: ?>
  Senão isso que aparecerá.
<?php endif; ?>

Nesse exemplo o PHP irá pular os blocos em que a condição não seja satisfeita, mesmo que o trecho de código esteja fora das tags de abertura/fechamento do PHP, pois o interpretador do PHP irá pular os conteúdos de blocos que não possuem uma condição que não foi satisfeita.

Para impressão de grandes blocos de texto, sair do modo de interpretação do PHP é geralmente mais eficiente que enviar todo o texto através das funções echo ou print.

Nota:
Se o PHP for incluído no XML ou XHTML, as tags normais <?php ?> precisam ser utilizadas para que o documento permaneça conformante aos padrões desses documentos.

＋add a note

User Contributed Notes 11 notes

down

397

quickfur at quickfur dot ath dot cx ¶

12 years ago


When the documentation says that the PHP parser ignores everything outside the <?php ... ?> tags, it means literally EVERYTHING. Including things you normally wouldn't consider "valid", such as the following:

<html><body>
<p<?php if ($highlight): ?> class="highlight"<?php endif;?>>This is a paragraph.</p>
</body></html>

Notice how the PHP code is embedded in the middle of an HTML opening tag. The PHP parser doesn't care that it's in the middle of an opening tag, and doesn't require that it be closed. It also doesn't care that after the closing ?> tag is the end of the HTML opening tag. So, if $highlight is true, then the output will be:

<html><body>
<p class="highlight">This is a paragraph.</p>
</body></html>

Otherwise, it will be:

<html><body>
<p>This is a paragraph.</p>
</body></html>

Using this method, you can have HTML tags with optional attributes, depending on some PHP condition. Extremely flexible and useful!

down

ravenswd at gmail dot com ¶

13 years ago


One aspect of PHP that you need to be careful of, is that ?> will drop you out of PHP code and into HTML even if it appears inside a // comment. (This does not apply to /* */ comments.) This can lead to unexpected results. For example, take this line:

<?php
  $file_contents  = '<?php die(); ?>' . "\n";
?>

If you try to remove it by turning it into a comment, you get this:

<?php
//  $file_contents  = '<?php die(); ?>' . "\n";
?>

Which results in ' . "\n"; (and whatever is in the lines following it) to be output to your HTML page.

The cure is to either comment it out using /* */ tags, or re-write the line as:

<?php
  $file_contents  = '<' . '?php die(); ?' . '>' . "\n";
?>

down

sgurukrupa at gmail dot com ¶

9 years ago


Although not specifically pointed out in the main text, escaping from HTML also applies to other control statements:

<?php for ($i = 0; $i < 5; ++$i): ?>
Hello, there!
<?php endfor; ?>

When the above code snippet is executed we get the following output:

Hello, there!
Hello, there!
Hello, there!
Hello, there!

down

snor_007 at hotmail dot com ¶

12 years ago


Playing around with different open and close tags I discovered you can actually mix different style open/close tags

some examples

<%
//your php code here
?>

or

<script language="php">
//php code here
%>

down

anisgazig at gmail dot com ¶

3 years ago


Version of  7.0.0,3 tags are available in php.
1.long form tag (<?php ?>)
2.short echo tag(<?= ?>)
3.short_open_tag(? ?)
You can use short_open_tag when you start xml with php.

down

-8

mike at clove dot com ¶

12 years ago


It's possible to write code to create php escapes which can be processed later by substituting \x3f for '?' - as in echo "<\x3fphp echo 'foo'; \x3f>";

This is useful for creating a template parser which later is rendered by PHP.

down

-4

bryanrojasq.wordpress.com ¶

1 year ago


Example for a basic implementation of ternary operator to validate and print a class in the layout.

<!DOCTYPE html>
<html>
<head>
    <meta charset="utf-8">
    <meta name="viewport" content="width=device-width, initial-scale=1">
    <title><?= $page_title ?></title>
</head>
<body <?= strtolower($page_slug) === 'homepage' ? 'class="page-homepage"' : ''; ?>>
    <section>
        <h1><?= $page_title ?></h1>
        <p>This is a paragraph.</p>
    </section>
</body>
</html>

down

-21

davidhcefx ¶

2 years ago


When the PHP interpreter hits the ?> closing tags, it WON'T output right away if it's inside of a conditional statement:
(no matter if it's an Alternative Syntax or not)

<html>
<?php
$a = 1;
$b = 2;
if ($a === 1) {
    if ($b == 2) {
        ?><head></head><?php
    } else {
        ?><body></body><?php
    }
}
?>
</html>

This would output `<html><head></head></html>`.
Aside from conditional statements, the PHP interpreter also skip over functions! What a surprise!

<html>
<?php
function show($a) {
    ?>
    <a href="https://www.<?php echo $a ?>.com">
    Link
    </a>
    <?php
}
?>
<body>
    <?php show("google") ?>
</body>
</html>

This gives `<html><body><a href="https://www.google.com">Link</a></body></html>`.
These really confused me, because at first I thought it would output any HTML code right away, except for Alternative Syntaxes (https://www.php.net/manual/en/control-structures.alternative-syntax.php). There are more strange cases than I thought.

down

-12

Anonymous ¶

2 years ago


Since it's not documented (AFAICT) and it might cause confusion: a single line break immediately after ?> is ignored. Since whitespace is hard to see, whitespace is replaced with _ and the following code

<?php echo '1'; ?>
<?php echo '2'; ?>_
<?php echo '3'; ?>
_<?php echo '4'; ?>_<?php echo '5'; ?>

will produce

12_
3_4_5

down

-16

anisgazig.com ¶

2 years ago


<p>This is ignore by the php parser and displayed by the browser </p>

 <?php echo "While this is going to be parsed"; ?>

 <?php 

when php interpreter hits the closing tag it start to outputing everything whatever it finds until it hit another opening tag.If php interpreter find a conditional statement in the middle of a block then php interpreter decided which block skip  

 Advanced escaping using conditions

  <?php $a = 10; if($a<100): ?>
  This conditional block is executed
  <?php else: ?>
      otherwise this will be executed
      <?php endif; ?>

In php 5 version,there are 5 opening and closing tags.
1.<?php echo "standard long form php tag and if you use xml with php this tag will be use";?>

2.<?= "short echo tag and alwayes available from 5.4.0";?>

3.<? echo "short open tag which is available if short_open_tag is enable in php ini configuration file directive or php was configured with --enable-short-tags.This tag has discoursed from php 7.If you want to use xml with php,then short_open_tag in php ini will be disabled";?>

4.<script language="php">
echo "Some editor do not like processing the code within this tag and this tag is removed from php 7.0.0 version";

</script>

5.<% echo "asp style tag and asp_tags should be enabled but now php 7.0.0 version,this tag is removed";%>

down

-28

Emil Cataranciuc ¶

4 years ago


"<script language="php"> </script>, are always available." since PHP 7.0.0 is no longer true. These are removed along the ASP "<%, %>, <%=" tags.

＋add a note