Escaping data for use within a CodeIgniter View
I have a controller and a view; the data that I'm working with inside the controller can't be trusted (it's drawn from somewhere external, and isn't $_GET
or $_POST
).
How do I escape the data when printing it in the view to ensure that tags and other things are escaped properly? I'm used to Zend_View's $this->escape($foo)
, which is used from inside the view, so I'm still trying to get my bearings. My preference is to escape it from within the view, as I use the data, but if that's not an option I'll do it within the controller.
(I've discovered the filtering for $this->input, but as the data isn't coming from $_GET
/$_POST
it's not much use to me. :-) Unfortunately, the examples I've seen so far have all been using a controller putting static data into an array, which is then passing to the view, eg. $data['foo'] = 'Example'
)
Any ideas?
Edit: I'm asking because I don't particularly relish using html_entities($str, ENT_QUOTES, 'utf-8')
everywhere (along with mb_convert_encoding()
and friends), but I guess I'll create a custom helper if needed.
Edit #2: The data is a bunch of strings (that may contain anything from straight alphanumeric characters, to <b>foo</b>
, to <script>alert('xsslol');</script>
.
I need to escape these strings to print them wi开发者_C百科thin, say, table cells, not allowing any HTML tags to be printed (converting tags into their HTML entity equivalents).
If I were working with bare PHP, I'd use htmlentities() for this, as per my edit above.Without knowing the nature of the data you're getting and how it should display, it's sort of hard to answer this.
You can still use the input class xss_clean method anywhere, since the default is to have it initialized. You could do this in the controller before you send it to the view or in the view:
echo $this->input->xss_clean($mystery_data);
Note: xss_clean is not running automatically on POST and COOKIE data unless you've set this in your apps config file:
$config['global_xss_filtering'] = TRUE;
You can take a look at it in system/libraries/Input.php, it's pretty thorough.
精彩评论