Chris@0: # Escaping URLs
Chris@0:
Chris@0: This method is basically an alias for PHP's `rawurlencode()` which has applied
Chris@0: RFC 3986 since PHP 5.3. It is included primarily for consistency.
Chris@0:
Chris@0: URL escaping applies to data being inserted into a URL and not to the whole URL
Chris@0: itself.
Chris@0:
Chris@0: ## Example of Bad URL Escaping
Chris@0:
Chris@0: XSS attacks are easy if data inserted into URLs is not escaped properly:
Chris@0:
Chris@0: ```php
Chris@0:
Chris@0:
Chris@0:
Chris@0:
Chris@0:
Chris@0: Unescaped URL data
Chris@0:
Chris@0:
Chris@0:
Chris@0: Click here!
Chris@0:
Chris@0:
Chris@0: ```
Chris@0:
Chris@0: ## Example of Good URL Escaping
Chris@0:
Chris@0: By properly escaping data in URLs by using `escapeUrl()`, we can prevent XSS
Chris@0: attacks:
Chris@0:
Chris@0: ```php
Chris@0:
Chris@0:
Chris@0: escapeUrl($input);
Chris@0: ?>
Chris@0:
Chris@0:
Chris@0: Unescaped URL data
Chris@0:
Chris@0:
Chris@0:
Chris@0: Click here!
Chris@0:
Chris@0:
Chris@0: ```