2.2 KiB
layout | permalink | title |
---|---|---|
default | templates/escaping/ | Escaping |
Escaping
Escaping is a form of data filtering which sanitizes unsafe, user supplied input prior to outputting it as HTML. Plates provides two shortcuts to the htmlspecialchars()
function.
Escaping example
<h1>Hello, <?=$this->escape($name)?></h1>
<!-- Using the alternative, shorthand function -->
<h1>Hello, <?=$this->e($name)?></h1>
Batch function calls
The escape functions also support batch function calls, which allow you to apply multiple functions, including native PHP functions, to a variable at one time.
<p>Welcome <?=$this->e($name, 'strip_tags|strtoupper')?></p>
Escaping HTML attributes
It's VERY important to always double quote HTML attributes that contain escaped variables, otherwise your template will still be open to injection attacks.
Some libraries go as far as having a special function for escaping HTML attributes. However, this is somewhat redundant considering that if a developer forgets to properly quote an HTML attribute, they will likely also forget to use this special function. Here is how you properly escape HTML attributes:
<!-- Good -->
<img src="portrait.jpg" alt="<?=$this->e($name)?>">
<!-- BAD -->
<img src="portrait.jpg" alt='<?=$this->e($name)?>'>
<!-- BAD -->
<img src="portrait.jpg" alt=<?=$this->e($name)?>>
Automatic escaping
Probably the biggest drawbacks to native PHP templates is the inability to auto-escape variables properly. Template languages like Twig and Smarty can identify "echoed" variables during a parsing stage and automatically escape them. This cannot be done in native PHP as the language does not offer overloading functionality for it's output functions (ie. print
and echo
).
Don't worry, escaping can still be done safely, it just means you are responsible for manually escaping each variable on output. Consider creating a snippet for one of the above, built-in escaping functions to make this process easier.