If you can’t trust your users, you should take care of this in your templates, using the esc()
/escape()
helpers. In the backend, you can use validators to control what users can enter into any given field.
Related topics:
Hey folks, I need some clarification on an issue where apostrophes are displayed within the panel like this…
Panel View
[Emmaus_Encounter___Panel]
When rendered back to the frontend form the first example works just fine and renders correctly. It’s only in the panel that it seems have the issue.
In the code, I followed the cookbook example to escape the input. Here is what that looks like…
Escaping form input
[image]
If the form is valid it updates the page. Again, when the data saved and…
I see it too often in the forum and the docs: people using the esc() helper in a wrong way, or not using it when they actually should. For example, with input sanitization:
<?php $var = esc(get('var')) ?>
or using the ‘legacy’ html() version:
<h1><?php echo $page->title()->html() ?></h1>
Please use the toolkit Escape class and the corresponding esc() helper for what they are intended for: XSS (Cross Site Scripting) prevention.
<h1><?php echo $page->title()->esc() ?></h1>
or the …