Skip to content

context-html.md

Latest commit

 

History

History
48 lines (36 loc) · 1.49 KB

context-html.md

File metadata and controls

48 lines (36 loc) · 1.49 KB

HTML body context (escHtml)

Use when the value lands between HTML tags: <p>HERE</p>, <div>HERE</div>, <li>HERE</li>.

What it does

escHtml is a thin wrapper around htmlspecialchars() configured with ENT_QUOTES | ENT_SUBSTITUTE:

  • ENT_QUOTES escapes both single and double quotes, so the same output is safe inside an attribute should it ever be moved.
  • ENT_SUBSTITUTE replaces malformed UTF-8 with U+FFFD instead of returning an empty string — failing safe, not silently.

Example

use InitPHP\Escaper\Esc;

echo Esc::esc('<script>alert("xss")</script>');
// &lt;script&gt;alert(&quot;xss&quot;)&lt;/script&gt;

echo Esc::esc("Tom & Jerry's adventure");
// Tom &amp; Jerry&#039;s adventure

The escaper does not touch characters that are already safe in the HTML body context — letters, digits, accented characters, emoji, all pass through:

echo Esc::esc('Merhaba dünya 🚀');
// Merhaba dünya 🚀

When not to use it

  • Attribute valuesescHtml is safe enough for quoted attributes but loses to unquoted attributes (a space ends the value). Use escHtmlAttr instead.
  • <script> blocks — HTML entities are not decoded inside a script. Use escJs.
  • <style> blocks — same problem. Use escCss.
  • URLs in href / src — escape the URL with escUrl first, then put the escaped URL through escHtml if needed.