Standalone XSS (cross site scripting) utility

2 years ago
materix
Member | 66
+
0
-

Does Nette have any class or utility for sanitizing input for XSS when used stand-alone (not using Nette Framework or Latte)?

2 years ago
Rick Strafy
Nette Blogger | 65
+
+1
-

You can use stand-alone latte for html text, that's the simplest option, since latte is context-aware and escaping is little more complicated, because it escapes text differently depending where it is (html attributes, javascript, inside tags). If you only want to escape xss inside html tags, you can use native php function htmlspecialchars($str)

Last edited by Rick Strafy (2022-09-29 17:45)

2 years ago
Marek Bartoš
Nette Blogger | 1171
+
+1
-

Escaping should be always done on output, not on input, because it is context-specific.
I guess you could dig deeper into Latte and use only its escaping functions, but I would ask why don't just use the whole Latte.

Some basic input sanitization is done by RequestFactory in nette/http