Reputation: 8319
CakePHP: h() vs. Sanitize::html()
CakePHP has a global function called h. It's a convenience method for htmlspecialchars. CakePHP also has a utility called Sanitize, which has a method called html. Here is part of its description:
This method prepares user-submitted data for display inside HTML. This is especially useful if you don’t want users to be able to break your layouts or insert images or scripts inside of your HTML pages.
When should each be used? Is one better than the other?
Upvotes: 4
Views: 5019
Answers (1)
Reputation: 4969
Sanitize::html() is more versatile: it lets you strip the HTML completely (via remove option), and lets you specify the how it handles quoting.
See the source code:
h(): http://api.cakephp.org/2.3/source-function-h.html#160-199
Sanitize::html(): http://api.cakephp.org/2.3/source-class-Sanitize.html#83-122
EDIT:
h(): calls htmlspecialchars()
Sanitize::html(): calls htmlentities()
For discussion on differences, see: htmlentities() vs. htmlspecialchars()
Upvotes: 4
Related Questions
- CakePHP - Sanitize::clean leaving &amp and \n
- CakePHP sanitize parameter
- CakePHP – html helper how to turn off escaping?
- Sanitize::html with accents CakePHP2.0
- CakePHP sanitize utils
- Cakephp Security and Sanitize in Views
- When to do sanitization in CakePHP
- Is this overkill, or good use of CakePHP's HTML helper?
- cakePHP: Overload Sanitize
- "\r" in html made by cakePHP Sanitize::clean()