Class Phalcon\Escaper

Source on GitHub

Phalcon\Escaper

Escapes different kinds of text securing them. By using this component you may prevent XSS attacks.

This component only works with UTF-8. The PREG extension needs to be compiled with UTF-8 support.

$escaper = new \Phalcon\Escaper();

$escaped = $escaper->escapeCss("font-family: <Verdana>");

echo $escaped; // font\2D family\3A \20 \3C Verdana\3E

Properties¶

/**
 * @var bool
 */
protected doubleEncode = true;

/**
 * @var string
 */
protected encoding = utf-8;

/**
 * @var int
 */
protected flags = 3;

Methods¶

public function attributes( string $attribute = null ): string;

Escapes a HTML attribute string

public function css( string $input ): string;

Escape CSS strings by replacing non-alphanumeric chars by their hexadecimal escaped representation

final public function detectEncoding( string $str ): string | null;

Detect the character encoding of a string to be handled by an encoder. Special-handling for chr(172) and chr(128) to chr(159) which fail to be detected by mb_detect_encoding()

public function escapeCss( string $css ): string;

Escape CSS strings by replacing non-alphanumeric chars by their hexadecimal escaped representation

public function escapeHtml( string $text = null ): string;

Escapes a HTML string. Internally uses htmlspecialchars

public function escapeHtmlAttr( string $attribute = null ): string;

Escapes a HTML attribute string

public function escapeJs( string $js ): string;

Escape JavaScript strings by replacing non-alphanumeric chars by their hexadecimal escaped representation

public function escapeUrl( string $url ): string;

Escapes a URL. Internally uses rawurlencode

public function getEncoding(): string;

Returns the internal encoding used by the escaper

public function getFlags(): int;

Returns the current flags for htmlspecialchars

public function html( string $input = null ): string;

Escapes a HTML string. Internally uses htmlspecialchars

public function js( string $input ): string;

Escape javascript strings by replacing non-alphanumeric chars by their hexadecimal escaped representation

final public function normalizeEncoding( string $str ): string;

Utility to normalize a string's encoding to UTF-32.

public function setDoubleEncode( bool $doubleEncode ): void;

Sets the double_encode to be used by the escaper

$escaper->setDoubleEncode(false);

public function setEncoding( string $encoding ): void;

Sets the encoding to be used by the escaper

$escaper->setEncoding("utf-8");

public function setFlags( int $flags ): Escaper;

Sets the HTML quoting type for htmlspecialchars

$escaper->setFlags(ENT_XHTML);

public function setHtmlQuoteType( int $flags ): void;

Sets the HTML quoting type for htmlspecialchars

$escaper->setHtmlQuoteType(ENT_XHTML);

public function url( string $url ): string;

Escapes a URL. Internally uses rawurlencode

Interface Phalcon\Escaper\EscaperInterface

Source on GitHub

| Namespace | Phalcon\Escaper |

Interface for Phalcon\Escaper

Methods¶

public function escapeCss( string $css ): string;

Escape CSS strings by replacing non-alphanumeric chars by their hexadecimal representation

public function escapeHtml( string $text ): string;

Escapes a HTML string

public function escapeHtmlAttr( string $text ): string;

Escapes a HTML attribute string

public function escapeJs( string $js ): string;

Escape Javascript strings by replacing non-alphanumeric chars by their hexadecimal representation

public function escapeUrl( string $url ): string;

Escapes a URL. Internally uses rawurlencode

public function getEncoding(): string;

Returns the internal encoding used by the escaper

public function setEncoding( string $encoding ): void;

Sets the encoding to be used by the escaper

public function setHtmlQuoteType( int $quoteType ): void;

Sets the HTML quoting type for htmlspecialchars

Class Phalcon\Escaper\Exception

Source on GitHub

Exceptions thrown in Phalcon\Escaper will use this class