Vayu Robins

Thanks LostKobrakai. I did mentioned in my first post here the $sanitizer, so am aware of it, but am not sure if I should use it in all situations. Would you then always do this ? : echo $sanitizer->text( $title ); or printf( '<h1>%s</h1>', $sanitizer->text( $page->title ) );

Thanks again. But what about situations where it is not set at field level, i.e. a select dropdown, where it is not possible to set this type of HTML Entity Encoder?

Hi Dave. Thank you for you feedback. Yes, that is a good point that the field can be escaped at field level. However, will that prevent Cross-site scripting, as explained in that tutorial I referenced to earlier? Example: $title = <script>alert('Injected javascript')</script>

Hi. I am no PHP expert and have mostly done WordPress development during the last many years, so I am more used to the WordPress codebase than anything else. I have learned that it is good practice to escape your output with different WordPress functions, such as esc_attr, esc_url, esc_html etc. There is a list of functions here: https://codex.wordpress.org/Data_Validation Here is an example, taken from this tutorial: http://code.tutsplus.com/tutorials/data-sanitization-and-validation-with-wordpress--wp-25536 <h1> <?php echo esc_html($title); ?> </h1> I am aware that there are some sanitation functions in ProcessWire, but I have not seen any for this kind of output. Nor have I found any articles/posts about this kind of practice for ProcessWire. The $sanitizer seems to be more specific used for form input data. However, I assume that this is something one should consider in any PHP environment and not only in WordPress? Am I right? I am simply posting this question here, because I am a bit unsure and would love to here what other PHP developers here think about this and what is best to do in the ProcessWire environment. Looking forward to any feedback or input on this subject.