Mercurial > hg > isophonics-drupal-site

annotate vendor/zendframework/zend-escaper/doc/book/escaping-html.md @ 0:4c8ae668cc8c

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Initial import (non-working)
author Chris Cannam
date Wed, 29 Nov 2017 16:09:58 +0000
parents
children
rev   line source
Chris@0 1 # Escaping HTML
Chris@0 2
Chris@0 3 Probably the most common escaping happens for **HTML body** contexts. There are
Chris@0 4 very few characters with special meaning in this context, yet it is quite common
Chris@0 5 to escape data incorrectly, namely by setting the wrong flags and character
Chris@0 6 encoding.
Chris@0 7
Chris@0 8 For escaping data to use within an HTML body context, use
Chris@0 9 `Zend\Escaper\Escaper`'s `escapeHtml()` method. Internally it uses PHP's
Chris@0 10 `htmlspecialchars()`, correctly setting the flags and encoding for you.
Chris@0 11
Chris@0 12 ```php
Chris@0 13 // Outputting this without escaping would be a bad idea!
Chris@0 14 $input = '<script>alert("zf2")</script>';
Chris@0 15
Chris@0 16 $escaper = new Zend\Escaper\Escaper('utf-8');
Chris@0 17
Chris@0 18 // somewhere in an HTML template
Chris@0 19 <div class="user-provided-input">
Chris@0 20 <?= $escaper->escapeHtml($input) // all safe! ?>
Chris@0 21 </div>
Chris@0 22 ```
Chris@0 23
Chris@0 24 One thing a developer needs to pay special attention to is the encoding in which
Chris@0 25 the document is served to the client, as it **must be the same** as the encoding
Chris@0 26 used for escaping!
Chris@0 27
Chris@0 28 ## Example of Bad HTML Escaping
Chris@0 29
Chris@0 30 An example of incorrect usage:
Chris@0 31
Chris@0 32 ```php
Chris@0 33 <?php
Chris@0 34 $input = '<script>alert("zf2")</script>';
Chris@0 35 $escaper = new Zend\Escaper\Escaper('utf-8');
Chris@0 36 ?>
Chris@0 37 <?php header('Content-Type: text/html; charset=ISO-8859-1'); ?>
Chris@0 38 <!DOCTYPE html>
Chris@0 39 <html>
Chris@0 40 <head>
Chris@0 41 <title>Encodings set incorrectly!</title>
Chris@0 42 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
Chris@0 43 </head>
Chris@0 44 <body>
Chris@0 45 <?php
Chris@0 46 // Bad! The escaper's and the document's encodings are different!
Chris@0 47 echo $escaper->escapeHtml($input);
Chris@0 48 ?>
Chris@0 49 </body>
Chris@0 50 ```
Chris@0 51
Chris@0 52 ## Example of Good HTML Escaping
Chris@0 53
Chris@0 54 An example of correct usage:
Chris@0 55
Chris@0 56 ```php
Chris@0 57 <?php
Chris@0 58 $input = '<script>alert("zf2")</script>';
Chris@0 59 $escaper = new Zend\Escaper\Escaper('utf-8');
Chris@0 60 ?>
Chris@0 61 <?php header('Content-Type: text/html; charset=UTF-8'); ?>
Chris@0 62 <!DOCTYPE html>
Chris@0 63 <html>
Chris@0 64 <head>
Chris@0 65 <title>Encodings set correctly!</title>
Chris@0 66 <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
Chris@0 67 </head>
Chris@0 68 <body>
Chris@0 69 <?php
Chris@0 70 // Good! The escaper's and the document's encodings are same!
Chris@0 71 echo $escaper->escapeHtml($input);
Chris@0 72 ?>
Chris@0 73 </body>
Chris@0 74 ```