Agent Smith
Reputation: 97
Input filter/val output escape zf2 correctly?
Do I correctly understand, that I need to escape in view smth like this:
<div id="search-box">
<?php $escaper = new Zend\Escaper\Escaper('utf-8'); ?>
<input type="text" placeholder="<?php echo $escaper->escapeHtml($this->languageText('TEXT_SEARCH_OUR_SITE',"Search Our Site"));
?>" name="query" id="query" />
<div class="search-box-bk"></div>
</div>
And how correctly filter, or validate in controller this line:
$this->view->phrase = $this->getRequest()->getParam('phrase','');
Upvotes: 1
Views: 94
Answers (1)
Tim Fountain
Reputation: 33148
How to escape something correctly depends on the context. In your example the variable is being output in a HTML attribute, so you should use escapeHtmlAttr:
<input type="text" placeholder="<?php echo $escaper->escapeHtmlAttr($this->languageText('TEXT_SEARCH_OUR_SITE',"Search Our Site"));
?>" name="query" id="query" />
There is a list of escape functions in the overview of the component.
As for what you need to do in the controller, the answer is: probably nothing, but it depends what you are going to use "phrase" for.
Upvotes: 1
Related Questions
- Diasble escaping in Zend 2 Forms
- how to "escape" the output zf1?
- How to prevent XSS with ZF2?
- How to not escape html entities in a submit button value?
- Zend View - Automatically escape assigned variables
- Zend Framework Input/Output XSS Filtering: Strip Tags, Textile, BBCode
- Automatic variable escaper for Zend Framework
- Is $this->escape() in the Zend view enough for xss
- Best practice for HTML escaping user-supplied data with PHP (and ZF)
- What is the best way to escape user output with the Zend Framework?