We have moved our forum to GitHub Discussions. For questions about Phalcon v3/v4/v5 you can visit here and for Phalcon v6 here.

Difference between "Contextual Escaping" and "Sanitizing"

I am confused with the using of both "Contextual Escaping" and "Sanitizing". I test both and get same result.

$strUrlName = $this->request->getPost('urlName', 'string');   // Value </title><script>alert(1)</script>
echo $strUrlName;

echo "<br>=========================<br>";

$strUrlName =’</title><script>alert(1)</script>’; //
$objEscape = new Phalcon\Escaper();
echo $objEscape->escapeHtml($strUrlName);
OUTPUT  :------
alert(1)
=========================
alert(1)

Is there any difference and how & when to use them?



98.9k
Accepted
answer

Actually, the output of both is quite different. While Phalcon\Filter removes extra dangerous characters, Phalcon\Escaper escapes them.

Real output:

alert(1) // Phalcon\Filter removes tags
&lt;/title&gt;&lt;script&gt;alert(1)&lt;/script&gt; // Phalcon\Escaper escapes tags


33.7k

Thanks for clearing it up for me.