Server : Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.4.20 System : Linux st2.domain.com 3.10.0-1127.10.1.el7.x86_64 #1 SMP Wed Jun 3 14:28:03 UTC 2020 x86_64 User : apache ( 48) PHP Version : 7.4.20 Disable Function : NONE Directory : /var/www/html/st2/vendor/league/plates/docs/templates/ |
--- layout: default permalink: templates/escaping/ title: Escaping --- Escaping ======== Escaping is a form of [data filtering](http://www.phptherightway.com/#data_filtering) which sanitizes unsafe, user supplied input prior to outputting it as HTML. Plates provides two shortcuts to the `htmlspecialchars()` function. ## Escaping example ~~~ php <h1>Hello, <?=$this->escape($name)?></h1> <!-- Using the alternative, shorthand function --> <h1>Hello, <?=$this->e($name)?></h1> ~~~ ## Batch function calls The escape functions also support [batch](/templates/functions/#batch-function-calls) function calls, which allow you to apply multiple functions, including native PHP functions, to a variable at one time. ~~~ php <p>Welcome <?=$this->e($name, 'strip_tags|strtoupper')?></p> ~~~ ## Escaping HTML attributes <p class="message-notice">It's VERY important to always double quote HTML attributes that contain escaped variables, otherwise your template will still be open to injection attacks.</p> Some [libraries](http://framework.zend.com/manual/2.1/en/modules/zend.escaper.escaping-html-attributes.html) go as far as having a special function for escaping HTML attributes. However, this is somewhat redundant considering that if a developer forgets to properly quote an HTML attribute, they will likely also forget to use this special function. Here is how you properly escape HTML attributes: ~~~ php <!-- Good --> <img src="portrait.jpg" alt="<?=$this->e($name)?>"> <!-- BAD --> <img src="portrait.jpg" alt='<?=$this->e($name)?>'> <!-- BAD --> <img src="portrait.jpg" alt=<?=$this->e($name)?>> ~~~ ## Automatic escaping Probably the biggest drawbacks to native PHP templates is the inability to auto-escape variables properly. Template languages like Twig and Smarty can identify "echoed" variables during a parsing stage and automatically escape them. This cannot be done in native PHP as the language does not offer overloading functionality for it's output functions (ie. `print` and `echo`). Don't worry, escaping can still be done safely, it just means you are responsible for manually escaping each variable on output. Consider creating a snippet for one of the above, built-in escaping functions to make this process easier.