My understanding is that all variables should be output through htmlspecialchars() in a view.

Question

0

Asked: May 26, 20262026-05-26T06:53:59+00:00 2026-05-26T06:53:59+00:00

My understanding is that all variables should be output through htmlspecialchars() in a view.

0

My understanding is that all variables should be output through htmlspecialchars() in a view.

Are there any approaches or methods to do this, without having to specify the function on each appropriate line in each view?

The best that I could come up with is to have a helper function as follows:
function html_escape($var)

function h($var)
{
  if (is_array($var))
  {
    return array_map('h', $var);
  }
  else
  {
    return htmlspecialchars($var, ENT_QUOTES, 'UTF8');
  }
}

But still…this could get very tedious!

Any ideas?

Report

Leave an answer
Cancel reply

You must login to add an answer.

Need An Account,

1 Answer

Editorial Team · Answer 1 · 2026-05-26T06:54:00+00:00

Editorial Team

2026-05-26T06:54:00+00:00Added an answer on May 26, 2026 at 6:54 am

You may have the function h() output the escaped data, rather than return it. Therefore, instead of writing <?php echo h($myvar); ?> you may write <?php h($myvar); ?>. This is now two characters shorter than echoing the variable without converting to entities.

0

Reply
Share
Share

- Report

Sign Up

Sign In

Forgot Password

The Archive Base Latest Questions

My understanding is that all variables should be output through htmlspecialchars() in a view.

Leave an answerCancel reply

1 Answer

Leave an answer
Cancel reply