Introduction

The OWASP Top 10 web security risks study lists Cross-Site Scripting (XSS) in second place. PHP’s sole functionality against XSS is limited to two functions of which one is commonly misapplied. Thus, the Zend\Escaper component was written. It offers developers a way to escape output and defend from XSS and related vulnerabilities by introducing contextual escaping based on peer-reviewed rules.

Zend\Escaper was written with ease of use in mind, so it can be used completely stand-alone from the rest of the framework, and as such can be installed with Composer.

For easier use of the Escaper component within the framework itself, especially with the Zend\View component, a set of view helpers is provided.

Warning

The Zend\Escaper is a security related component. As such, if you believe you found an issue with this component, we ask that you follow our Security Policy and report security issues accordingly. The Zend Framework team and the contributors thanks you in advance.

Overview

The Zend\Escaper component provides one class, Zend\Escaper\Escaper which in turn, provides five methods for escaping output. Which method to use when, depends on the context in which the outputted data is used. It is up to the developer to use the right methods in the right context.

Zend\Escaper\Escaper has the following escaping methods available for each context:

  • escapeHtml: escape a string for the HTML Body context.
  • escapeHtmlAttr: escape a string for the HTML Attribute context.
  • escapeJs: escape a string for the Javascript context.
  • escapeCss: escape a string for the CSS context.
  • escapeUrl: escape a string for the URI or Parameter contexts.

Usage of each method will be discussed in detail in later chapters.

What Zend\Escaper is not

Zend\Escaper is meant to be used only for escaping data that is to be output, and as such should not be misused for filtering input data. For such tasks, the Zend\Filter component, HTMLPurifier or PHP’s Filter component should be used.

Project Versions

Table Of Contents

Previous topic

Zend\Dom\Query

Next topic

Theory of Operation

This Page

Edit this document

Edit this document

The source code of this file is hosted on GitHub. Everyone can update and fix errors in this document with few clicks - no downloads needed.

  1. Login with your GitHub account.
  2. Go to Introduction on GitHub.
  3. Edit file contents using GitHub's text editor in your web browser
  4. Fill in the Commit message text box at the end of the page telling why you did the changes. Press Propose file change button next to it when done.
  5. On Send a pull request page you don't need to fill in text anymore. Just press Send pull request button.
  6. Your changes are now queued for review under project's Pull requests tab on GitHub.