Introduction to Zend\Escaper

The OWASP Top 10 web security risks study lists Cross-Site Scripting (XSS) in second place. PHP’s sole functionality against XSS is limited to two functions of which one is commonly misapplied. Thus, the Zend\Escaper component was written. It offers developers a way to escape output and defend from XSS and related vulnerabilities by introducing contextual escaping based on peer-reviewed rules.

Zend\Escaper was written with ease of use in mind, so it can be used completely stand-alone from the rest of the framework, and as such can be installed with Composer using zendframework/zend-escaper.

For easier use of the Escaper component within the framework itself, especially with the Zend\View component, a set of view helpers is provided.

Warning

The Zend\Escaper is a security related component. As such, if you believe you found an issue with this component, we ask that you follow our Security Policy and report security issues accordingly. The Zend Framework team and the contributors thanks you in advance.

Overview

The Zend\Escaper component provides one class, Zend\Escaper\Escaper which in turn, provides five methods for escaping output. Which method to use when, depends on the context in which the outputted data is used. It is up to the developer to use the right methods in the right context.

Zend\Escaper\Escaper has the following escaping methods available for each context:

  • escapeHtml: escape a string for the HTML Body context.
  • escapeHtmlAttr: escape a string for the HTML Attribute context.
  • escapeJs: escape a string for the Javascript context.
  • escapeCss: escape a string for the CSS context.
  • escapeUrl: escape a string for the URI or Parameter contexts.

Usage of each method will be discussed in detail in later chapters.

What Zend\Escaper is not

Zend\Escaper is meant to be used only for escaping data that is to be output, and as such should not be misused for filtering input data. For such tasks, the Zend\Filter component, HTMLPurifier or PHP’s Filter component should be used.