var_dump or print_r and html encoding

php xss html-entities var-dump
Average Joe picture Average Joe · Apr 7, 2012 · Viewed 23.8k times · Source 
<?php 

$x = array("<b>","<i>","b","i","<h1>hello</h1>");
print_r ($x);
echo "<hr>";
var_dump ($x);

outputs this in the html source!

Array
(
    [0] => <b>
    [1] => <i>
    [2] => b
    [3] => i
    [4] => <h1>hello</h1>
)
<hr>array(5) {
  [0]=>
  string(3) "<b>"
  [1]=>
  string(3) "<i>"
  [2]=>
  string(1) "b"
  [3]=>
  string(1) "i"
  [4]=>
  string(14) "<h1>hello</h1>"
}

obviously, I could have been XSS'ed by that!
How can I make sure that the array values are htmlencoded?

Answer

Self Evident picture Self Evident · Mar 15, 2015

While this question has an accepted answer, I think David Morrow's answer is the best/ simplest/ most practical (uses the print_r true flag):

echo "<pre>".htmlentities(print_r($some_array, true))."</pre>";

Never-the-less, here is another solution that uses output buffering:

<?php

ob_start();
print_r($some_array);
$buffer = ob_get_clean();
echo "<pre>".htmlentities($buffer)."</pre>";

?>

Related questions

How can I sanitize user input with PHP?

Is there a catchall function somewhere that works well for sanitizing user input for SQL injection and XSS attacks, while still allowing certain types of HTML tags?

Read More
How to prevent XSS with HTML/PHP?

How do I prevent XSS (cross-site scripting) using just HTML and PHP? I've seen numerous other posts on this topic but I have not found an article that clear and concisely states how to actually prevent XSS.

Read More
How do you set up use HttpOnly cookies in PHP

How can I set the cookies in my PHP apps as HttpOnly cookies?

Read More