|
Chris@0
|
1 # Introduction
|
|
Chris@0
|
2
|
|
Chris@0
|
3 The [OWASP Top 10 web security risks](https://www.owasp.org/index.php/Top_10_2010-Main)
|
|
Chris@0
|
4 study lists Cross-Site Scripting (XSS) in second place. PHP's sole functionality
|
|
Chris@0
|
5 against XSS is limited to two functions of which one is commonly misapplied.
|
|
Chris@0
|
6 Thus, the zend-escaper component was written. It offers developers a way to
|
|
Chris@0
|
7 escape output and defend from XSS and related vulnerabilities by introducing
|
|
Chris@0
|
8 **contextual escaping based on peer-reviewed rules**.
|
|
Chris@0
|
9
|
|
Chris@0
|
10 zend-escaper was written with ease of use in mind, so it can be used completely stand-alone from
|
|
Chris@0
|
11 the rest of the framework, and as such can be installed with Composer:
|
|
Chris@0
|
12
|
|
Chris@0
|
13 ```bash
|
|
Chris@0
|
14 $ composer install zendframework/zend-escaper
|
|
Chris@0
|
15 ```
|
|
Chris@0
|
16
|
|
Chris@0
|
17 Several Zend Framework components provide integrations for consuming
|
|
Chris@0
|
18 zend-escaper, including [zend-view](https://github.com/zendframework/zend-view),
|
|
Chris@0
|
19 which provides a set of helpers that consume it.
|
|
Chris@0
|
20
|
|
Chris@0
|
21 > ### Security
|
|
Chris@0
|
22 >
|
|
Chris@0
|
23 > zend-escaper is a security related component. As such, if you believe you have
|
|
Chris@0
|
24 > found an issue, we ask that you follow our [Security Policy](http://framework.zend.com/security/)
|
|
Chris@0
|
25 > and report security issues accordingly. The Zend Framework team and the
|
|
Chris@0
|
26 > contributors thank you in advance.
|
|
Chris@0
|
27
|
|
Chris@0
|
28 ## Overview
|
|
Chris@0
|
29
|
|
Chris@0
|
30 zend-escaper provides one class, `Zend\Escaper\Escaper`, which in turn provides
|
|
Chris@0
|
31 five methods for escaping output. Which method to use depends on the context in
|
|
Chris@0
|
32 which the output is used. It is up to the developer to use the right methods in
|
|
Chris@0
|
33 the right context.
|
|
Chris@0
|
34
|
|
Chris@0
|
35 `Zend\Escaper\Escaper` has the following escaping methods available for each context:
|
|
Chris@0
|
36
|
|
Chris@0
|
37 - `escapeHtml`: escape a string for an HTML body context.
|
|
Chris@0
|
38 - `escapeHtmlAttr`: escape a string for an HTML attribute context.
|
|
Chris@0
|
39 - `escapeJs`: escape a string for a Javascript context.
|
|
Chris@0
|
40 - `escapeCss`: escape a string for a CSS context.
|
|
Chris@0
|
41 - `escapeUrl`: escape a string for a URI or URI parameter context.
|
|
Chris@0
|
42
|
|
Chris@0
|
43 Usage of each method will be discussed in detail in later chapters.
|
|
Chris@0
|
44
|
|
Chris@0
|
45 ## What zend-Escaper is not
|
|
Chris@0
|
46
|
|
Chris@0
|
47 zend-escaper is meant to be used only for *escaping data for output*, and as
|
|
Chris@0
|
48 such should not be misused for *filtering input data*. For such tasks, use
|
|
Chris@0
|
49 [zend-filter](https://zendframework.github.io/zend-filter/),
|
|
Chris@0
|
50 [HTMLPurifier](http://htmlpurifier.org/) or PHP's
|
|
Chris@0
|
51 [Filter](http://php.net/filter) functionality should be used.
|
