This $ this-> escape () in the Zend view is enough for xss

Question

I do a lot $this->escape()in zend view. Is this enough to prevent XSS?

There HTMLPurifier outside of the Zend Framework. I wonder how zend $this->escape()compares with HTMLPurifier.

+5

silow Nov 21 '10 at 0:00

2 answers

HTMLPurifier . HTMLPurifier HTML... , . , , , HTML, , . HTML, , /.

escape() HTML- HTML, , HTML (, & → &, < → <, > → > ..).

.

XSS? , , .

+4

d11wtq 21 . '10 1:36

Maxence · Accepted Answer · 2010-11-21T08:04:39+0000

escape is an alias of htmlspecialchars. It allows you to display plain text, while HTMLPurifier allows you to display safe HTML.

You cannot have plaintext XSS.

HTMLPurifier strip_tags, HTML, (, ).