jakubboucek / legacy-escape
Right escape data inserted to HTML, CSS, JS and URL. Substrate of Latte/Latte package.
Installs: 1 648
Dependents: 0
Suggesters: 0
Security: 0
Stars: 1
Watchers: 4
Forks: 0
Open Issues: 0
Requires
- php: ~7.2 || ~8.0
- ext-json: *
Requires (Dev)
- nette/tester: ^2.4 || ^2.5 || dev-master
- nette/utils: ^3.1 || ^4.0
- phpstan/phpstan: 1.12.6
Suggests
- nette/utils: Allows to safe escape HTML with markup: https://doc.nette.org/en/utils/html-elements
README
PHP library to right escape outputs in your legacy project.
Don't use package for new projects, use Latte instead.
Package is substrate of Latte package filters.
Features
- Escape HTML
- Escape HTML attributes
- Escape HTML href attributes
- Escape HTML comments
- Escape XML
- Escape JS
- Escape URL
- Escape CSS
- Escape CSS specifics for few properties:
color
value
Install
composer require jakubboucek/legacy-escape
Usage
Instead:
echo 'Registered user: ' . $username;
Use:
use JakubBoucek\Escape\Escape; echo 'Registered user: ' . Escape::html($username);
You can use shortcut by aliasing too:
use JakubBoucek\Escape\Escape as E; echo 'Registered user: ' . E::html($username);
CSS specifics
In few cases you cannot use Escape::css($cssColor)
to escape
some known format, because standard escaping is broke CSS format. Class EscapeCss
has prepared
limited set of known propetries with specefics format:
color
property
Sanitize value od CSS color
property to safe format, example:
use JakubBoucek\Escape\EscapeCss; echo '<style>color: ' . EscapeCss::color($cssColor) . ';</style>';
It's prevent attact by escaping color value context.
Safe HTML content
Package supports escaping HTML with included safe HTML content.
Usage:
use JakubBoucek\Escape\Escape; use Nette\Utils\Html; $avatarUrl = 'http:/example.com/avatar.png'; $username = 'John Doe <script>hack</script>'; $avatarImage = Html::el('img')->src($avatarUrl)->width(16); echo Escape::html($avatarImage, ' ', $username); // <img src="http:/example.com/avatar.png" width="16"> John Doe <script>hack</script>
Output without any escaping
In some cases you intentionally want to output variable without any escaping, but somebody other or your future self may
mistakenly believe you forgot to escape it. Here you can use noescape()
method to mark code as intentionally unescaped.
echo \JakubBoucek\Escape\Escape::noescape($htmlContent);
FAQ
Is it support for escaping SQL query?
No, SQL requires access to active SQL connection to right escape. This package is only allows to escape contexts without external requirements.
Contributing
Please don't hesitate send Issue or Pull Request.
Security
If you discover any security related issues, please email pan@jakubboucek.cz instead of using the issue tracker.
License
The MIT License (MIT). Please see License File for more information.
Origin code licences
Copyright (c) 2004, 2014 David Grudl (https://davidgrudl.com) All rights reserved. Please see License File for more information.