Chris@0: # Introduction Chris@0: Chris@0: The [OWASP Top 10 web security risks](https://www.owasp.org/index.php/Top_10_2010-Main) Chris@0: study lists Cross-Site Scripting (XSS) in second place. PHP's sole functionality Chris@0: against XSS is limited to two functions of which one is commonly misapplied. Chris@0: Thus, the zend-escaper component was written. It offers developers a way to Chris@0: escape output and defend from XSS and related vulnerabilities by introducing Chris@0: **contextual escaping based on peer-reviewed rules**. Chris@0: Chris@0: zend-escaper was written with ease of use in mind, so it can be used completely stand-alone from Chris@0: the rest of the framework, and as such can be installed with Composer: Chris@0: Chris@0: ```bash Chris@0: $ composer install zendframework/zend-escaper Chris@0: ``` Chris@0: Chris@0: Several Zend Framework components provide integrations for consuming Chris@0: zend-escaper, including [zend-view](https://github.com/zendframework/zend-view), Chris@0: which provides a set of helpers that consume it. Chris@0: Chris@0: > ### Security Chris@0: > Chris@0: > zend-escaper is a security related component. As such, if you believe you have Chris@0: > found an issue, we ask that you follow our [Security Policy](http://framework.zend.com/security/) Chris@0: > and report security issues accordingly. The Zend Framework team and the Chris@0: > contributors thank you in advance. Chris@0: Chris@0: ## Overview Chris@0: Chris@0: zend-escaper provides one class, `Zend\Escaper\Escaper`, which in turn provides Chris@0: five methods for escaping output. Which method to use depends on the context in Chris@0: which the output is used. It is up to the developer to use the right methods in Chris@0: the right context. Chris@0: Chris@0: `Zend\Escaper\Escaper` has the following escaping methods available for each context: Chris@0: Chris@0: - `escapeHtml`: escape a string for an HTML body context. Chris@0: - `escapeHtmlAttr`: escape a string for an HTML attribute context. Chris@0: - `escapeJs`: escape a string for a Javascript context. Chris@0: - `escapeCss`: escape a string for a CSS context. Chris@0: - `escapeUrl`: escape a string for a URI or URI parameter context. Chris@0: Chris@0: Usage of each method will be discussed in detail in later chapters. Chris@0: Chris@0: ## What zend-Escaper is not Chris@0: Chris@0: zend-escaper is meant to be used only for *escaping data for output*, and as Chris@0: such should not be misused for *filtering input data*. For such tasks, use Chris@0: [zend-filter](https://zendframework.github.io/zend-filter/), Chris@0: [HTMLPurifier](http://htmlpurifier.org/) or PHP's Chris@0: [Filter](http://php.net/filter) functionality should be used.