Solved thread

This post is marked as solved. If you think the information contained on this thread must be part of the official documentation, please contribute submitting a pull request to its repository.

Difference between "Contextual Escaping" and "Sanitizing"

I am confused with the using of both "Contextual Escaping" and "Sanitizing". I test both and get same result.

$strUrlName = $this->request->getPost('urlName', 'string');   // Value </title><script>alert(1)</script>
echo $strUrlName;

echo "<br>=========================<br>";

$strUrlName =’</title><script>alert(1)</script>’; //
$objEscape = new Phalcon\Escaper();
echo $objEscape->escapeHtml($strUrlName);
OUTPUT  :------
alert(1)
=========================
alert(1)

Is there any difference and how & when to use them?



83.4k
Accepted
answer

Actually, the output of both is quite different. While Phalcon\Filter removes extra dangerous characters, Phalcon\Escaper escapes them.

Real output:

alert(1) // Phalcon\Filter removes tags
&lt;/title&gt;&lt;script&gt;alert(1)&lt;/script&gt; // Phalcon\Escaper escapes tags


13.9k

Thanks for clearing it up for me.