### Install Laminas Escaper via Composer
Source: https://github.com/laminas/laminas-escaper/blob/2.18.x/docs/book/intro.md
This command installs the `laminas/laminas-escaper` component using Composer, making it available for use in your PHP project. It's a stand-alone component and can be used without the full Laminas framework.
```bash
$ composer require laminas/laminas-escaper
```
--------------------------------
### Install laminas-escaper using Composer
Source: https://github.com/laminas/laminas-escaper/blob/2.18.x/docs/book/index.md
This snippet demonstrates how to install the laminas-escaper library into your PHP project using Composer, the dependency manager for PHP. Running this command will add the library as a required dependency to your project.
```bash
$ composer require laminas/laminas-escaper
```
--------------------------------
### Install laminas-escaper via Composer
Source: https://github.com/laminas/laminas-escaper/blob/2.18.x/README.md
This command installs the laminas-escaper library into your PHP project using Composer, a dependency manager for PHP. It adds the component as a dependency, making its functionalities available for use in your application.
```bash
$ composer require laminas/laminas-escaper
```
--------------------------------
### Preventing XSS with Good URL Escaping in PHP
Source: https://github.com/laminas/laminas-escaper/blob/2.18.x/docs/book/escaping-url.md
This PHP example demonstrates the correct way to escape user input for URLs using `Laminas\Escaper\Escaper::escapeUrl()`. By properly escaping the input, malicious characters are neutralized, preventing XSS attacks and ensuring the integrity of the URL.
```PHP
escapeUrl($input);
?>
Unescaped URL data
Click here!
```
--------------------------------
### Demonstrating Bad URL Escaping in PHP
Source: https://github.com/laminas/laminas-escaper/blob/2.18.x/docs/book/escaping-url.md
This PHP example illustrates how failing to properly escape user input when inserting it into a URL can lead to Cross-Site Scripting (XSS) vulnerabilities. The `onmouseover` event handler is injected into the `href` attribute, allowing arbitrary JavaScript execution.
```PHP
Unescaped URL data
Click here!
```
--------------------------------
### Demonstrating Good Javascript Escaping with Laminas\Escaper\Escaper::escapeJs()
Source: https://github.com/laminas/laminas-escaper/blob/2.18.x/docs/book/escaping-javascript.md
This example demonstrates the correct way to escape Javascript string literals for HTML contexts using `Laminas\Escaper\Escaper::escapeJs()`. This method provides an extended set of character escapes beyond standard ECMAScript rules, effectively preventing XSS attacks by ensuring that potentially dangerous characters are properly encoded, leading to a `SyntaxError` rather than an exploit.
```php
escapeJs($input);
?>
Escaped Entities
Laminas\Escaper\Escaper::escapeJs() is good for escaping javascript!
```
--------------------------------
### Correct HTML Attribute Escaping with Laminas\Escaper\Escaper::escapeHtmlAttr()
Source: https://github.com/laminas/laminas-escaper/blob/2.18.x/docs/book/escaping-html-attributes.md
This example demonstrates the correct and secure way to escape HTML attributes using `Laminas\Escaper\Escaper::escapeHtmlAttr()`. It shows how this method effectively neutralizes malicious input, rendering it harmless even in unquoted attribute contexts, by properly encoding all necessary characters.
```php
escapeHtmlAttr($input);
?>
Quoteless Attribute
?>
>
What framework are you using?
```
--------------------------------
### Incorrect HTML Attribute Escaping with htmlspecialchars (Single Quoted)
Source: https://github.com/laminas/laminas-escaper/blob/2.18.x/docs/book/escaping-html-attributes.md
This example demonstrates an incorrect way to escape HTML attributes using `htmlspecialchars()` with its default `ENT_COMPAT` flag. It shows how malicious input containing single quotes can bypass this escaping, leading to an XSS vulnerability when used in a single-quoted HTML attribute.
```php
Single Quoted Attribute
?>
What framework are you using?
```
--------------------------------
### Preventing XSS with Laminas Escaper's escapeCss() in PHP
Source: https://github.com/laminas/laminas-escaper/blob/2.18.x/docs/book/escaping-css.md
This PHP example demonstrates how to correctly escape user-provided CSS using the `Laminas\Escaper\Escaper` class and its `escapeCss()` method. By applying proper escaping, malicious input is neutralized into safe CSS hexadecimal escapes, effectively preventing Cross-Site Scripting (XSS) attacks.
```php
');
}
INPUT;
$escaper = new Laminas\Escaper\Escaper('utf-8');
$output = $escaper->escapeCss($input);
?>
Escaped CSS
User controlled CSS needs to be properly escaped!
```
--------------------------------
### Incorrect HTML Attribute Escaping with htmlspecialchars (Unquoted)
Source: https://github.com/laminas/laminas-escaper/blob/2.18.x/docs/book/escaping-html-attributes.md
This example illustrates another common mistake in HTML attribute escaping, specifically when dealing with unquoted attributes (valid in HTML5). It shows that even with `ENT_QUOTES`, `htmlspecialchars()` fails to prevent XSS, as an attacker can easily break out of the attribute context.
```php
Quoteless Attribute
?>
>
What framework are you using?
```
--------------------------------
### Demonstrating Unescaped CSS Vulnerability in PHP
Source: https://github.com/laminas/laminas-escaper/blob/2.18.x/docs/book/escaping-css.md
This PHP example illustrates a common vulnerability where user-controlled CSS is directly embedded into an HTML ');
}
INPUT;
?>
Unescaped CSS
User controlled CSS needs to be properly escaped!
```
--------------------------------
### Demonstrating Bad Javascript Escaping with json_encode
Source: https://github.com/laminas/laminas-escaper/blob/2.18.x/docs/book/escaping-javascript.md
This example illustrates an incorrect approach to Javascript escaping using PHP's `json_encode()`. While `json_encode()` handles basic JSON string literal escaping, it is insufficient for preventing XSS when Javascript is embedded within an HTML context, as it does not escape characters that could be misinterpreted as HTML, leading to an alert popup.
```php
Unescaped Entities
json_encode() is not good for escaping javascript!
```
--------------------------------
### Demonstrating Contextual Escaping with Laminas Escaper
Source: https://github.com/laminas/laminas-escaper/blob/2.18.x/docs/book/theory-of-operation.md
This snippet initializes the Laminas Escaper with UTF-8 encoding and demonstrates how the same input string `` is escaped differently based on the target context: HTML Body, HTML Attribute, Javascript, CSS, and URL. Each `escape` method applies specific rules to ensure proper and secure output for its respective context.
```php
$escaper = new Laminas\Escaper\Escaper('utf-8');
// <script>alert("laminas")</script>
echo $escaper->escapeHtml('');
// <script>alert("laminas")</script>
echo $escaper->escapeHtmlAttr('');
// \x3Cscript\x3Ealert\x28\x22laminas\x22\x29\x3C\x2Fscript\x3E
echo $escaper->escapeJs('');
// \3C script\3E alert\28 \22 laminas\22 \29 \3C \2F script\3E
echo $escaper->escapeCss('');
// %3Cscript%3Ealert%28%22laminas%22%29%3C%2Fscript%3E
echo $escaper->escapeUrl('');
```
--------------------------------
### Laminas Escaper Class API Reference
Source: https://github.com/laminas/laminas-escaper/blob/2.18.x/docs/book/intro.md
The `Laminas\Escaper\Escaper` class provides five methods for contextual output escaping, designed to prevent Cross-Site Scripting (XSS) vulnerabilities. Each method is tailored for a specific HTML, JavaScript, CSS, or URI context.
```APIDOC
Laminas\\Escaper\\Escaper:
escapeHtml(string $input): string
description: Escapes a string for an HTML body context.
escapeHtmlAttr(string $input): string
description: Escapes a string for an HTML attribute context.
escapeJs(string $input): string
description: Escapes a string for a Javascript context.
escapeCss(string $input): string
description: Escapes a string for a CSS context.
escapeUrl(string $input): string
description: Escapes a string for a URI or URI parameter context.
```
--------------------------------
### Correct HTML Escaping: Consistent Encodings
Source: https://github.com/laminas/laminas-escaper/blob/2.18.x/docs/book/escaping-html.md
Presents the correct method for HTML escaping by ensuring the `Laminas\Escaper\Escaper` instance is initialized with the same character encoding (`utf-8`) as the HTML document being served. This consistency guarantees proper and secure escaping, preventing XSS attacks and ensuring content integrity.
```php
alert("laminas")';
$escaper = new Laminas\Escaper\Escaper('utf-8');
?>
Encodings set correctly!
escapeHtml($input);
?>
```
--------------------------------
### Escaping HTML Body Content with Laminas Escaper
Source: https://github.com/laminas/laminas-escaper/blob/2.18.x/docs/book/escaping-html.md
Demonstrates how to safely escape user-provided input for display within an HTML body context using `Laminas\Escaper\Escaper::escapeHtml()`. This method internally handles correct flag and encoding settings for `htmlspecialchars()`, making the output safe for HTML display.
```php
// Outputting this without escaping would be a bad idea!
$input = '';
$escaper = new Laminas\Escaper\Escaper('utf-8');
// somewhere in an HTML template
escapeHtml($input) // all safe! ?>
```
--------------------------------
### Incorrect HTML Escaping: Mismatched Encodings
Source: https://github.com/laminas/laminas-escaper/blob/2.18.x/docs/book/escaping-html.md
Illustrates a common error where the escaper's encoding (`utf-8`) differs from the document's served encoding (`ISO-8859-1`). This mismatch can lead to incorrect escaping, potentially exposing the application to XSS vulnerabilities or display issues. It highlights why encoding consistency is paramount.
```php
alert("laminas")';
$escaper = new Laminas\Escaper\Escaper('utf-8');
?>
Encodings set incorrectly!
escapeHtml($input);
?>
```
=== COMPLETE CONTENT === This response contains all available snippets from this library. No additional content exists. Do not make further requests.