Jump to content

Escaping output


Vayu Robins
 Share

Recommended Posts

Hi.

I am no PHP expert and have mostly done WordPress development during the last many years, so I am more used to the WordPress codebase than anything else.

I have learned that it is good practice to escape your output with different WordPress functions, such as esc_attr, esc_url, esc_html etc. There is a list of functions here: https://codex.wordpress.org/Data_Validation

Here is an example, taken from this tutorial: http://code.tutsplus.com/tutorials/data-sanitization-and-validation-with-wordpress--wp-25536

<h1> <?php echo esc_html($title); ?> </h1>

I am aware that there are some sanitation functions in ProcessWire, but I have not seen any for this kind of output.  Nor have I found any articles/posts about this kind of practice for ProcessWire. The $sanitizer seems to be more specific used for form input data.  However, I assume that this is something one should consider in any PHP environment and not only in WordPress? Am I right?

I am simply posting this question here, because I am a bit unsure and would love to here what other PHP developers here think about this and what is best to do in the ProcessWire environment.

Looking forward to any feedback or input on this subject. :-)

Link to comment
Share on other sites

Escaping (or entity encoding) of output can be done automatically at field level. Take a look at the 'Details' tab on e.g. a textarea field like the standard 'body' field. Under 'Text Formatters' you should see 'HTML Entity Encoder (htmlspecialchars)', which applies http://php.net/htmlspecialchars to the field's content when output.

Depending on the sources of your field data, this might not really be necessary - if you absolutely trust everything you could be outputting it probably isn't. On the other hand...

  • Like 1
Link to comment
Share on other sites

Hi Dave. Thank you for you feedback. Yes, that is a good point that the field can be escaped at field level. However, will that prevent Cross-site scripting, as explained in that tutorial I referenced to earlier? Example:

$title = <script>alert('Injected javascript')</script>
Link to comment
Share on other sites

Yes, because (from the php manual page)

The translations performed are:

  • '&' (ampersand) becomes '&'
  • '"' (double quote) becomes '"' when ENT_NOQUOTES is not set.
  • "'" (single quote) becomes ''' (or ') only when ENT_QUOTES is set.
  • '<' (less than) becomes '<'
  • '>' (greater than) becomes '>'
Link to comment
Share on other sites

Thanks LostKobrakai. I did mentioned in my first post here the $sanitizer, so am aware of it, but am not sure if I should use it in all situations.

Would you then always do this ? :

echo $sanitizer->text( $title );

or

printf( '<h1>%s</h1>', $sanitizer->text( $page->title ) );
Link to comment
Share on other sites

Generally, if you output stuff in a template file that comes from the PW backend, you don't have to manually sanitize or escape anything. PW's fieldtype/inputfield takes care of a lot of stuff and for text and such you just have to set the correct Textformatters on the fields.

It's when you start taking in user input from outside the PW admin that you should sanitize stuff.

So when you just echo a pagetitle in a template file there is imo no need to use sanitizer.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...