Introduction to Zend\Escaper¶
The OWASP Top 10 web security risks study lists Cross-Site Scripting (XSS) in second place. PHP’s sole functionality
against XSS is limited to two functions of which one is commonly misapplied. Thus, the
was written. It offers developers a way to escape output and defend from XSS and related vulnerabilities by introducing
contextual escaping based on peer-reviewed rules.
Zend\Escaper was written with ease of use in mind, so it can be used completely stand-alone from the rest of
the framework, and as such can be installed with Composer using zendframework/zend-escaper.
For easier use of the Escaper component within the framework itself, especially with the
a set of view helpers is provided.
Zend\Escaper is a security related component. As such, if you believe you found an issue with this
component, we ask that you follow our Security Policy and report security issues accordingly. The Zend
Framework team and the contributors thanks you in advance.
Zend\Escaper component provides one class,
Zend\Escaper\Escaper which in turn, provides five methods
for escaping output. Which method to use when, depends on the context in which the outputted data is used. It is
up to the developer to use the right methods in the right context.
Zend\Escaper\Escaper has the following escaping methods available for each context:
- escapeHtml: escape a string for the HTML Body context.
- escapeHtmlAttr: escape a string for the HTML Attribute context.
- escapeCss: escape a string for the CSS context.
- escapeUrl: escape a string for the URI or Parameter contexts.
Usage of each method will be discussed in detail in later chapters.