Mercurial > hg > isophonics-drupal-site
comparison vendor/zendframework/zend-escaper/doc/book/intro.md @ 0:4c8ae668cc8c
Initial import (non-working)
| author | Chris Cannam |
|---|---|
| date | Wed, 29 Nov 2017 16:09:58 +0000 |
| parents | |
| children |
comparison
equal
deleted
inserted
replaced
| -1:000000000000 | 0:4c8ae668cc8c |
|---|---|
| 1 # Introduction | |
| 2 | |
| 3 The [OWASP Top 10 web security risks](https://www.owasp.org/index.php/Top_10_2010-Main) | |
| 4 study lists Cross-Site Scripting (XSS) in second place. PHP's sole functionality | |
| 5 against XSS is limited to two functions of which one is commonly misapplied. | |
| 6 Thus, the zend-escaper component was written. It offers developers a way to | |
| 7 escape output and defend from XSS and related vulnerabilities by introducing | |
| 8 **contextual escaping based on peer-reviewed rules**. | |
| 9 | |
| 10 zend-escaper was written with ease of use in mind, so it can be used completely stand-alone from | |
| 11 the rest of the framework, and as such can be installed with Composer: | |
| 12 | |
| 13 ```bash | |
| 14 $ composer install zendframework/zend-escaper | |
| 15 ``` | |
| 16 | |
| 17 Several Zend Framework components provide integrations for consuming | |
| 18 zend-escaper, including [zend-view](https://github.com/zendframework/zend-view), | |
| 19 which provides a set of helpers that consume it. | |
| 20 | |
| 21 > ### Security | |
| 22 > | |
| 23 > zend-escaper is a security related component. As such, if you believe you have | |
| 24 > found an issue, we ask that you follow our [Security Policy](http://framework.zend.com/security/) | |
| 25 > and report security issues accordingly. The Zend Framework team and the | |
| 26 > contributors thank you in advance. | |
| 27 | |
| 28 ## Overview | |
| 29 | |
| 30 zend-escaper provides one class, `Zend\Escaper\Escaper`, which in turn provides | |
| 31 five methods for escaping output. Which method to use depends on the context in | |
| 32 which the output is used. It is up to the developer to use the right methods in | |
| 33 the right context. | |
| 34 | |
| 35 `Zend\Escaper\Escaper` has the following escaping methods available for each context: | |
| 36 | |
| 37 - `escapeHtml`: escape a string for an HTML body context. | |
| 38 - `escapeHtmlAttr`: escape a string for an HTML attribute context. | |
| 39 - `escapeJs`: escape a string for a Javascript context. | |
| 40 - `escapeCss`: escape a string for a CSS context. | |
| 41 - `escapeUrl`: escape a string for a URI or URI parameter context. | |
| 42 | |
| 43 Usage of each method will be discussed in detail in later chapters. | |
| 44 | |
| 45 ## What zend-Escaper is not | |
| 46 | |
| 47 zend-escaper is meant to be used only for *escaping data for output*, and as | |
| 48 such should not be misused for *filtering input data*. For such tasks, use | |
| 49 [zend-filter](https://zendframework.github.io/zend-filter/), | |
| 50 [HTMLPurifier](http://htmlpurifier.org/) or PHP's | |
| 51 [Filter](http://php.net/filter) functionality should be used. |