Reputation: 5
Format output in cakephp
I store a few notification for user in html format in model. ex
$not = "Test Notification";
But as per inputs I've got from other, I need to escape the output, using h() function. So my question is, is it safe (against XSS) in this case to output without escaping as data is generated internally rather than getting input from end user.
Similarly, at other places, I output this kind of stuff using AJAX and calling .html() in jQuery. is it safe in this case also?
Thanks
Upvotes: 0
Views: 59
Answers (1)
Reputation: 21743
For normal text strings you can answer that question yourself:
Is is absolutely impossible to put any char like < or > etc in that string from the frontend or backend? If so, YES. If not, you need to wrap it with h().
It is not just XSS, also the layout can break with invalid handling of the output data.
So if you are generating that string in the PHP code, you usually know how "safe" that method is (as the outside then has limited access).
Also note, that when allowing HTML via wysiysg editors, the above does not apply, as HTML cannot be h()ed. Thus you need to sanitize the data upon input using sth like https://github.com/burzum/cakephp-html-purifier
Upvotes: 1
Related Questions
- How can I pretty format JSON output in CakePHP?
- CakePHP change format in a list input
- cakephp 2.4.6 and array output
- How to get Formated JSON output in CakePHP controller
- cakephp render element with data
- CakePHP json output
- cakephp output data as json
- How can I format the output of this JSON in CakePHP?
- format cakephp find result
- Format data with JQuery for posting to CakePHP controller