I have a Zend project and after time researching I’ve come across this idea. Of course this is security related and the purpose is to avoid xss attacks.
Other solutions would be to escape them just before showing them, but that would include a lot of special cases, and some time because Zend does not have anything like that implemented.
These are the solutions for escaping before echo-ing them in the phtml
http://codeutopia.net/blog/2007/11/10/how-to-automatically-escape-template-variables-in-zend_view/
and https://github.com/chikaram/gnix-view
Those are a bit too old, maybe someone has already met this problem and has come with better solutions with newer features that Zend has to offer that I haven’t found about.
So, would it be a good practice to escape values before adding them to db and making an exclusion array for rare special cases when I do want javascript code in my values?
If you have better solutions, links and examples would be much appreciated.
No, it would not be, because database is for storing data, not “data already escaped for presentation on specific medium”.
Consider eg. that you will need in the future to export it to PDF, not show it in HTML. By using your approach, this will be very hard, because the data in the database would already be broken.