ob_start() and htmlspecialchars()

  • Hi, I have this piece of code.

    function PHP_Include( $atts )
{
	$atts = htmlspecialchars($atts);
	ob_start();  
	
    	extract(shortcode_atts( array(
        'file' => 'default'
   	 ), $atts ));
	
	
	include get_theme_root() . '/' . get_template() . '/app/' . $file;
	
	$output = ob_get_contents();   
	ob_end_clean();   
	return $output;
}

    Someone’s telling me ob_start will make my code more secure, but I don’t understand in which way? Basically, this function will “keep in memory” the code then output the code to execute it, right?

    Secondly, when I add $atts = htmlspecialchars($atts); the code doesn’t work I have a white page, here again I don’t know why. $atts is appfile.php. I use this shortcode [phpinclude file='appfile.php'].

Viewing 5 replies - 1 through 5 (of 5 total)
  • Dion

    (@diondesigns)

    The htmlspecialchars() function requires a string, and $atts would appear to be an array. So…try out the revised function below and see if it works.

    function PHP_Include($atts) {
	ob_start();  
    	extract(shortcode_atts(
		array('file' => 'default'),
		$atts
	));

	include get_theme_root() . '/' . get_template() . '/app/' . $file;
	return ob_get_clean();
}
    Thread Starter geekinside

    (@geekinside)

    Shortcode return an array, right ?

    Moderator bcworkz

    (@bcworkz)

    Shortcode handlers return a string that will be echoed out. The $atts passed to your handler is an array.

    I don’t know how an output buffer adds security, but you need to use it regardless in a shortcode handler that includes a template file that echoes out content. Shortcode handlers must never directly output anything.

    Thread Starter geekinside

    (@geekinside)

    Sorry I was busy.

    Alright, I understand. Basically $atts is file[newvalue].

    I’m wondering why shortcode handlers must never directly output anything ?

    Moderator bcworkz

    (@bcworkz)

    No worries.

    Because WP echoes out the returned value at exactly the right spot in the DOM flow. If you were to echo out content from the handler, it will not be in the right position in the flow. Echoing out sets up a race condition of a sort. Your echo wins the race, but the prize is a messed up page ??

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘ob_start() and htmlspecialchars()’ is closed to new replies.