--- layout: default permalink: templates/escaping/ title: Escaping --- Escaping ======== Escaping is a form of [data filtering](http://www.phptherightway.com/#data_filtering) which sanitizes unsafe, user supplied input prior to outputting it as HTML. Plates provides two shortcuts to the `htmlspecialchars()` function. ## Escaping example ~~~ php

Hello, escape($name)?>

Hello, e($name)?>

~~~ ## Batch function calls The escape functions also support [batch](/templates/functions/#batch-function-calls) function calls, which allow you to apply multiple functions, including native PHP functions, to a variable at one time. ~~~ php

Welcome e($name, 'strip_tags|strtoupper')?>

~~~ ## Escaping HTML attributes

It's VERY important to always double quote HTML attributes that contain escaped variables, otherwise your template will still be open to injection attacks.

Some [libraries](http://framework.zend.com/manual/2.1/en/modules/zend.escaper.escaping-html-attributes.html) go as far as having a special function for escaping HTML attributes. However, this is somewhat redundant considering that if a developer forgets to properly quote an HTML attribute, they will likely also forget to use this special function. Here is how you properly escape HTML attributes: ~~~ php <?=$this->e($name)?> <?=$this->e($name)?> <?=$this-e($name)?>> ~~~ ## Automatic escaping Probably the biggest drawbacks to native PHP templates is the inability to auto-escape variables properly. Template languages like Twig and Smarty can identify "echoed" variables during a parsing stage and automatically escape them. This cannot be done in native PHP as the language does not offer overloading functionality for it's output functions (ie. `print` and `echo`). Don't worry, escaping can still be done safely, it just means you are responsible for manually escaping each variable on output. Consider creating a snippet for one of the above, built-in escaping functions to make this process easier.