4

CakePHP has a global function called h. It's a convenience method for htmlspecialchars. CakePHP also has a utility called Sanitize, which has a method called html. Here is part of its description:

This method prepares user-submitted data for display inside HTML. This is especially useful if you don’t want users to be able to break your layouts or insert images or scripts inside of your HTML pages.

When should each be used? Is one better than the other?

Nick
  • 8,049
  • 18
  • 63
  • 107
  • Just stick to h() in the view layer as outlined in the doc examples: http://book.cakephp.org/2.0/en/views.html#extending-views – mark Jun 18 '13 at 05:12

1 Answers1

4

Sanitize::html() is more versatile: it lets you strip the HTML completely (via remove option), and lets you specify the how it handles quoting.

See the source code:
h(): http://api.cakephp.org/2.3/source-function-h.html#160-199
Sanitize::html(): http://api.cakephp.org/2.3/source-class-Sanitize.html#83-122

EDIT:
h(): calls htmlspecialchars()
Sanitize::html(): calls htmlentities()

For discussion on differences, see: htmlentities() vs. htmlspecialchars()

Community
  • 1
  • 1
Costa
  • 4,851
  • 33
  • 30
  • Actually, `Sanitize::html()` calls `htmlentities`. – Nick Jun 18 '13 at 03:43
  • Must have been asleep. :) See this question for differences between the 2 PHP functions: http://stackoverflow.com/questions/46483/htmlentities-vs-htmlspecialchars . Both prevent XSS so either one is fine for security purposes. – Costa Jun 18 '13 at 05:35