Hi,

I hope someone can help with this. Is there a way of reading the contents of a PHP page into a textarea, so the PHP and HTML tags are nullified (so they don't affect the active document) but are displayed as-is in the textarea?

Thanks in advance

The PHP tags won't be interpreted if you're just echoing it. The HTML tags will be interpreted by the browser though.

Use [man]htmlentities[/man] or [man]htmlspecialchars[/man] to fix it. They will turn <html> into &lt;html&gt; so that it will not be interpreted as HTML by the browser.

Not so! That's exactly what I've been doing, and the output is still not escaped. Are there config options I should be checking?

How are you doing it?

This has no effect because it discards the value:
htmlentities($foo);

This works fine:
$foo = htmlentities($foo);

&lt;DOH!&gt; Thank you kind developer, for highlighting my stupidity.

This seems to be a bit of a grey area in manual terms. Some functions automatically update their arguments, some don't. Am I missing something in the terminology?

The term you are looking for is "return value". Most functions return a new value without modifying the arguments. It's usually best to assume that is the case, unless the manual says otherwise.

The [man]htmlentities[/man] page doesn't really say, though the examples show it using the return value.

Most of the time it is only array-related functions that modify their arguments. If an array is large, creating a whole new one to return would be inefficient, so the change is done in-place.

Okay, after a very negative-emotional day I've sussed it.

I was reading from the file thus:

$src = file_get_contents('http://localhost/foo.php');

So, however I tried to escape the contents of $src, it was too late because the PHP had already been parsed.

And if it had been possible, that would be a pretty sizeable security hole I guess. Wish I could think like a sysop...