.. _zend.escaper.escaping-css: Escaping Cascading Style Sheets =============================== CSS is similar to :ref:`Javascript ` for the same reasons. CSS escaping excludes only basic alphanumeric characters and escapes all other characters into valid CSS hexadecimal escapes. .. _zend.escaper.escaping-css.bad-examples: Examples of Bad CSS Escaping ---------------------------- In most cases developers forget to escape CSS completely: .. code-block:: php :linenos: '); } INPUT; ?> Unescaped CSS

User controlled CSS needs to be properly escaped!

In the above example, by failing to escape the user provided CSS, an attacker can execute an XSS attack fairly easily. .. _zend.escaper.escaping-css.good-examples: Examples of Good CSS Escaping ----------------------------- By using ``escapeCss`` method in the CSS context, such attacks can be prevented: .. code-block:: php :linenos: '); } INPUT; $escaper = new Zend\Escaper\Escaper('utf-8'); $output = $escaper->escapeCss($input); ?> Unescaped CSS

User controlled CSS needs to be properly escaped!

By properly escaping user controlled CSS, we can prevent XSS attacks in our web applications.