What do $this->escape() in zend framework actually do?

Question

I need help in understanding the actual actions of a helper function in Zend Framework.

I need someone to explain to me what $this->escape($string) actually does to the string passed to it before printing the string into the template.

score 17 · Accepted Answer · answered Dec 18 '09 at 00:06

17

$this->escape() escapes a string according to settings you can provide with $this->setEscape('functionname'), by default it is PHP's htmlspecialchars function.

http://framework.zend.com/manual/en/zend.view.scripts.html

answered Dec 18 '09 at 00:06

sakabako

1,150
7
14

Derek Illchuk · Answer 2 · 2009-12-18T00:12:46.087

7

It calls the htmlspecialchars PHP function.

The translations performed are:

'&' (ampersand) becomes '&'

'"' (double quote) becomes '"'

'<' (less than) becomes '<'

'>' (greater than) becomes '>'

edited Dec 18 '09 at 00:12

answered Dec 18 '09 at 00:02

Derek Illchuk

5,638
1
29
29

score 1 · Answer 3 · answered Sep 16 '11 at 08:41

Over at the PiKe project we build a custom stream wrapper that automatically escapes all view variables to be safe by default against XSS, with a MINIMAL performance hit! You can still get the RAW value with:

<?=~ $variable ?>

Notice the "~" character. Checkout http://code.google.com/p/php-pike/wiki/Pike_View_Stream

What do $this->escape() in zend framework actually do?

3 Answers3