jakubboucek/legacy-escape

Right escape data inserted to HTML, CSS, JS and URL. Substrate of Latte/Latte package.

v1.9.4 2024-10-17 07:13 UTC

This package is auto-updated.

Last update: 2024-12-17 07:28:37 UTC


README

PHP library to right escape outputs in your legacy project.

Don't use package for new projects, use Latte instead.

Package is substrate of Latte package filters.

Features

  • Escape HTML
  • Escape HTML attributes
  • Escape HTML href attributes
  • Escape HTML comments
  • Escape XML
  • Escape JS
  • Escape URL
  • Escape CSS
  • Escape CSS specifics for few properties:
    • color value

Install

composer require jakubboucek/legacy-escape

Usage

Instead:

echo 'Registered user: ' . $username;

Use:

use JakubBoucek\Escape\Escape;

echo 'Registered user: ' . Escape::html($username);

You can use shortcut by aliasing too:

use JakubBoucek\Escape\Escape as E;

echo 'Registered user: ' . E::html($username);

CSS specifics

In few cases you cannot use Escape::css($cssColor) to escape some known format, because standard escaping is broke CSS format. Class EscapeCss has prepared limited set of known propetries with specefics format:

color property

Sanitize value od CSS color property to safe format, example:

use JakubBoucek\Escape\EscapeCss;

echo '<style>color: ' . EscapeCss::color($cssColor) . ';</style>';

It's prevent attact by escaping color value context.

Safe HTML content

Package supports escaping HTML with included safe HTML content.

Usage:

use JakubBoucek\Escape\Escape;
use Nette\Utils\Html; 

$avatarUrl = 'http:/example.com/avatar.png';
$username = 'John Doe <script>hack</script>';

$avatarImage = Html::el('img')->src($avatarUrl)->width(16);
echo Escape::html($avatarImage, ' ', $username);

// <img src="http:/example.com/avatar.png" width="16"> John Doe &lt;script&gt;hack&lt;/script&gt;

Output without any escaping

In some cases you intentionally want to output variable without any escaping, but somebody other or your future self may mistakenly believe you forgot to escape it. Here you can use noescape() method to mark code as intentionally unescaped.

echo \JakubBoucek\Escape\Escape::noescape($htmlContent);

FAQ

Is it support for escaping SQL query?

No, SQL requires access to active SQL connection to right escape. This package is only allows to escape contexts without external requirements.

Contributing

Please don't hesitate send Issue or Pull Request.

Security

If you discover any security related issues, please email pan@jakubboucek.cz instead of using the issue tracker.

License

The MIT License (MIT). Please see License File for more information.

Origin code licences

Copyright (c) 2004, 2014 David Grudl (https://davidgrudl.com) All rights reserved. Please see License File for more information.