zilli Posted Wednesday at 02:26 PM Posted Wednesday at 02:26 PM Hi all, I think I’m mixing up some concepts and would appreciate some clarification about when to use $sanitizer vs field text formatters. For example, I have a title field that already uses the text formatter “HTML Entity Encoder (htmlspecialchars)”. In that case, do I still need to escape it manually on output, like this? <title id="html-title" pw-replace><?= $sanitizer->entities($page->title) ?></title> Or should I assume that the formatter already makes it safe for HTML output, and avoid double-escaping? More generally: When is $sanitizer mainly intended to be used? On input, on output, or both? 1
monollonom Posted Wednesday at 08:15 PM Posted Wednesday at 08:15 PM As long as the output formatting is on you can assume your "$page->title" will return a formatted value and so in your case with the entities encoded thanks to the Textformatter. So no need to escape it again using $sanitizer. $sanitizer is mostly here to clean inputs from user-submitted forms or more broadly whenever you have to save external data you don't have control over. 5
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now