fwrite and escapping

Hi guys I have an issue and I really have no idea how to solve it tried everything I don’t know what I am missing.

I have a css file that is loaded fopen and then using fread I add the content to a text area, so far so good.

The the css is modified in the text area and escaped sent back to php and written using fwrite, everything works good except that the css file is saved using html entities instead of the normal characters for example in the text area a string looks normal with the normal version of the characters but the css file is saved using html entities and it breaks.

I don’t understand what I am missing it is driving me crazy, any help is greatly appreciate it.

Thank you.

I think you forgot to strip the tags mate? ( check this ) Might be wrong but it sure sounds like this?

Thank you for your response but that is not the issue, the problem is that in the file is saved with escaped encoded characters and because of this the css file is not working, I really don’t know what to do anymore this is stupid to be honest…

Well, this literally blows my mind, lol! funny gif.

@dtbaker, you’re the best PHP guy I know, do you have any idea what’s up with this? Sounds like a very atypical issue? :neutral_face:

When you output & into a textarea, the browser renders it as &. When you post that textarea through a form, the browser posts the actual character (&). Thus PHP receives the original character (&) and not the encoded entity form.

Are you sending the contents of the textarea via JavaScript? If so, make sure you’re not using textarea.innerHTML because this would cause your problem; you want textarea.value.

Don’t escape the value of the textarea before sending it to PHP – you want to send the raw text. Only escape it on the PHP side when you output the initial CSS code into the textarea.

Some possible debugging steps:

  • View the source of the actual form to make sure the entities look correct.
  • Run var_dump($_POST) to see if the entities are being posted by the browser.
  • Check the network tab of developer tools to see if the form contains entities.

Hard to say much else without some code - so if you can’t get it working, hit up codepen.io please? :stuck_out_tongue:

1 Like


I think you should create whitelist of escaping rules.
Check this:


1 Like

Type a var_export( $value_to_be_saved ); exit; just before you do the fwrite and see what is output in the browser. Ensure you “view source” to see the actual characters and not what the browser renders.

You may find something is messing with the raw $_POST input variables (e.g. WordPress?) and is trying to sanitise them automatically.

The other option is to try file_put_contents() to see if that differs in any way


Thank you guys for the help so far nothing worked still trying to figure this out.

have you checked using: wp_kses

Is not about that, again I will try to explain.

The content that is received via $_POST which is the content from the CSS file is escaped with html entities (for example < is saved as &lt ,then I use fwrite to save the CSS but no matter what I do even if I decode the escaped entities the css file is saved with the html entities instead of their representing string for example < is saved as &lt.

Hope this makes sense.

what about str_replace

$content     = wp_kses( $css_content, array( '\'', '\"' ) );
$content     = str_replace( '>', '>', $content );

If str_replace works then you can make an array to short out all concerned characters.