Escaping Output

Started by chinmay.sahoo, 08-01-2016, 06:59:25

Previous topic - Next topic

chinmay.sahooTopic starter

By this point, everybody should have heard the mantra, "filter input, escape output".You will notice that in the examples of the script helper code we've seen so far, all output is filtered through $this->escape(). escape() is a method of the Zend_View that by default uses htmlspecialchars() to escape your output. However, there are times when you will need additional processing. It is possible to tell Zend_View to use a different escape method. The setEscape() method allows you to tell Zend_View exactly what to do when escape() is called. The default behavior is the equivalent of calling $this->view->setEscape('htmlentities'). You can specify your own function to replace htmlentities() if you like, however. By this point, I would hope that you are programming using OO instead of procedural. So, to specify your method, you have to give setEscape() an object reference and then a method name, such as $this->view->setEscape($myobj,'myEscapeMethod'). The final method of calling setEscape() is for static method calls. If you want to use a static method of a class for your escaping, then you use the syntax $this->view->setEscape('MyClassName','myEscapeMethod'). In all cases, the method you specify should take, as it's first parameter, the value to be escaped. If the method takes other parameters, they should all be optional. The method's return
value should be the escaped output.