Escaping HTML

Probably the most common escaping happens in the HTML Body context. There are very few characters with special meaning in this context, yet it is quite common to escape data incorrectly, namely by setting the wrong flags and character encoding.

For escaping data in the HTML Body context, use Zend\Escaper\Escaper‘s escapeHtml method. Internally it uses PHP’s htmlspecialchars, and additionally correctly sets the flags and encoding.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
// outputting this without escaping would be a bad idea!
$input = '<script>alert("zf2")</script>';

$escaper = new Zend\Escaper\Escaper('utf-8');

// somewhere in an HTML template
<div class="user-provided-input">
    <?php
    echo $escaper->escapeHtml($input); // all safe!
    ?>
</div>

One thing a developer needs to pay special attention too, is that the encoding in which the document is served to the client, as it must be the same as the encoding used for escaping!

Examples of Bad HTML Escaping

An example of incorrect usage:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
<?php
$input = '<script>alert("zf2")</script>';
$escaper = new Zend\Escaper\Escaper('utf-8');
?>
<?php header('Content-Type: text/html; charset=ISO-8859-1'); ?>
<!DOCTYPE html>
<html>
<head>
    <title>Encodings set incorrectly!</title>
    <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
</head>
<body>
    <?php
    // Bad! The escaper's and the document's encodings are different!
    echo $escaper->escapeHtml($input);
    ?>
</body>

Examples of Good HTML Escaping

An example of correct usage:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
<?php
$input = '<script>alert("zf2")</script>';
$escaper = new Zend\Escaper\Escaper('utf-8');
?>
<?php header('Content-Type: text/html; charset=UTF-8'); ?>
<!DOCTYPE html>
<html>
<head>
    <title>Encodings set correctly!</title>
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
    <?php
    // Good! The escaper's and the document's encodings are same!
    echo $escaper->escapeHtml($input);
    ?>
</body>
Edit this document

Edit this document

The source code of this file is hosted on GitHub. Everyone can update and fix errors in this document with few clicks - no downloads needed.

  1. Login with your GitHub account.
  2. Go to Escaping HTML on GitHub.
  3. Edit file contents using GitHub's text editor in your web browser
  4. Fill in the Commit message text box at the end of the page telling why you did the changes. Press Propose file change button next to it when done.
  5. On Send a pull request page you don't need to fill in text anymore. Just press Send pull request button.
  6. Your changes are now queued for review under project's Pull requests tab on GitHub.