Skip to content

jakubboucek/legacy-escape

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

47 Commits
.github/workflows
.github/workflows
 
 
src
src
 
 
tests
tests
 
 
.gitattributes
.gitattributes
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
composer.json
composer.json
 
 
phpstan.neon
phpstan.neon
 
 

Repository files navigation

Escape

PHP library to right escape outputs in your legacy project.

Don't use package for new projects, use Latte instead.

Package is substrate of Latte package filters.

Features

  • Escape HTML
  • Escape HTML attributes
  • Escape HTML href attributes
  • Escape HTML comments
  • Escape XML
  • Escape JS
  • Escape URL
  • Escape CSS
  • Escape CSS specifics for few properties:
    • color value

Install

composer require jakubboucek/legacy-escape

Usage

Instead:

echo 'Registered user: ' . $username;

Use:

use JakubBoucek\Escape\Escape;

echo 'Registered user: ' . Escape::html($username);

You can use shortcut by aliasing too:

use JakubBoucek\Escape\Escape as E;

echo 'Registered user: ' . E::html($username);

CSS specifics

In few cases you cannot use Escape::css($cssColor) to escape some known format, because standard escaping is broke CSS format. Class EscapeCss has prepared limited set of known propetries with specefics format:

color property

Sanitize value od CSS color property to safe format, example:

use JakubBoucek\Escape\EscapeCss;

echo '<style>color: ' . EscapeCss::color($cssColor) . ';</style>';

It's prevent attact by escaping color value context.

Safe HTML content

Package supports escaping HTML with included safe HTML content.

Usage:

use JakubBoucek\Escape\Escape;
use Nette\Utils\Html; 

$avatarUrl = 'http:/example.com/avatar.png';
$username = 'John Doe <script>hack</script>';

$avatarImage = Html::el('img')->src($avatarUrl)->width(16);
echo Escape::html($avatarImage, ' ', $username);

// <img src="http:/example.com/avatar.png" width="16"> John Doe &lt;script&gt;hack&lt;/script&gt;

Output without any escaping

In some cases you intentionally want to output variable without any escaping, but somebody other or your future self may mistakenly believe you forgot to escape it. Here you can use noescape() method to mark code as intentionally unescaped.

echo \JakubBoucek\Escape\Escape::noescape($htmlContent);

FAQ

Is it support for escaping SQL query?

No, SQL requires access to active SQL connection to right escape. This package is only allows to escape contexts without external requirements.

Contributing

Please don't hesitate send Issue or Pull Request.

Security

If you discover any security related issues, please email [email protected] instead of using the issue tracker.

License

The MIT License (MIT). Please see License File for more information.

Origin code licences

Copyright (c) 2004, 2014 David Grudl (https://davidgrudl.com) All rights reserved. Please see License File for more information.

About

Right escape data inserted to HTML, CSS, JS and URL in your legacy project.

packagist.org/packages/jakubboucek/legacy-escape

Topics

php security legacy-application

Resources

Readme

License

MIT license
Activity

Stars

1 star

Watchers

4 watching

Forks

0 forks
Report repository

Releases 14

v1.9.4 Latest
Oct 17, 2024
+ 13 releases

Languages