Using different escaping methods

The question:

I noticed class vendor/magento/framework/Escaper.php which contains a few useful security methods used inside (mainly) templates. Some of them are quite common (escapeHtml()), but some of them are hard to encounter.

  1. What method and escapeXssInUrl() really does?
  2. In case of method escapeJsQuote() – what is the place where these quotes can be found? Only inline js in templates?
  3. Does anyone has some clear explanation when all methods should be used (practical examples)?
  4. What is a difference between escapeUrl() and escapeXssInUrl() and if second one grants us better security, why not always use second one instead escaping only html chars?
  5. escapeQuote() should be used for example for echoing some variable in situation like this <div value="<?php echo[here?]$value?>"></div>?

The Solutions:

Below are the methods you can try. The first solution is probably the best. Try others if the first one doesn’t work. Senior developers aren’t just copying/pasting – they read the methods carefully & apply them wisely to each case.

Method 1

Most of the functions for Security measures against XSS attacks.

escapeXssInUrl() Method Remove javascript:, vbscript:, data: words from url and used like

echo $block->escapeXssInUrl($block->getUrl()) ?>"><?php echo $block->getAnchorTextHtml()

Magento 1 You can escape the quotes in javascript using $this->jsQuoteEscape ($item->getName()); Mahento 2 you can do the same using escapeJsQuote

escapeUrl() actually leverages htmlspecialchars with the recommended parameters to escape HTML: $result = htmlspecialchars($result, ENT_COMPAT, 'UTF-8', false);

You can find more information by Magento 2 official documentation.

Method 2

There is a helpful entry in the DevDocs on template security:
Security measures against XSS attacks

Re escapeXssInUrl: The function escapeUrl calls escapeXssInUrl internally plus escapeHtml afterwards. Also Magento uses escapeUrl internally.

Make sure to check out the new escaping functions once Magento 2.2. is out as there will be new ones coming:

The upcoming release of Magento 2.2 will deprecate these functions.

Please check back on this page after the 2.2 release for updated
documentation on new escape functions.

And you might as well be interested to check out my presentation about this here: Secure input and output handling – Meet Magento Romania 2016

All methods was sourced from or, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0

Leave a Comment