Is $this->escape() in the Zend view enough for xss

Question

I do a lot of $this->escape() in the zend view. Is this enough to prevent XSS?

There's HTMLPurifier outside the Zend Framework. I wonder how zend's $this->escape() compares to HTMLPurifier.

Answer 1

escape is an alias of htmlspecialchars. It allows you to output plain text, while HTMLPurifier allows you to output safe HTML.

You can't have XSS with plain text.

You have to use HTMLPurifier instead of strip_tags if you want to output safe HTML coming from an user input (rich text editor for example).

Answer 2

HTMLPurifier is serving different purpose. HTMLPurifier does not escape HTML... well, not exactly. It takes a configuration you give it that defines what is permitted in the HTML and what's not, and it cleans based on that. The result is actually still HTML, with certain things removed/sanitized.

escape() on that other hand is turning HTML-like characters into HTML entities so that they render the same characters in the browser instead of being interpreted as HTML (e.g. & -> &, < -> <, > -> > and so on).

Different goals.

Does it save you from XSS issues? Yes, but make sure you have correctly configured your character encoding.