0

I'm using laminas-escaper for escaping values in html and javascript. I fetch values from the server using ajax. So I escape them in php using laminas-escaper. When i fetch the data from server I store them in a js variable and sometimes even display them using html. For example in sample.js:

var xhttp   = new XMLHttpRequest();
xhttp.open("POST", "process.php", true);
xhttp.setRequestHeader("Content-Type", "application/json"); 
xhttp.onreadystatechange=function()
{
    if (xhttp.readyState == 4 && xhttp.status == 200)
    {
        var response = JSON.parse(xhttp.responseText);
        var name = response.name;
        document.getElementById('demo').innerHTML = name;
    }
}
xhttp.send();

The response came from the server will be in json format. For example : '{name:xxx,address:yyy}'

My question is should i only use $escaper->escapeJs($input) for escaping js, or only use $escaper->escapeHtml($input) for html escaping or use both. If I have to use both then in which order.

Note: I perform escaping in server and send the result to the browser.

Improve this question
4
  • will be in json format. For example ... example is not JSON - why have you shown javascript code that retrieves JSON data, then the question is about escaping HTML or JS? you would use neither for JSON data - as JSON is JSON, HTML is HTML and JS is JS Commented Feb 28, 2022 at 10:38
  • That depends on what you want to achieve Commented Feb 28, 2022 at 10:42
  • 1
    I don't use that framework, but usually you just do json_encode($content) and that's it, no need to additionally escape anything Commented Feb 28, 2022 at 10:43
  • 1
    There's no reason to escape anything before you return it. Just return it "as is" from PHP and then escape it in the front end, if needed. It's better not assuming what you should use the data for later on in your application since that can change. If you then need it unescaped for something, you will need to update it everywhere you use it, which just increases the risk that you miss some place. Commented Feb 28, 2022 at 10:47

1 Answer 1

Reset to default
1

You should escape the data, at the last possible moment, in a fashion suitable for what you are injecting it into.

If you are returning JSON to the browser then you should let PHP's json_encode function do the escaping for you.

If you are returning HTML to the browser then your PHP should escape the data for insertion in HTML.

If you're injecting the data into JavaScript embedded in the middle of an HTML document and then returning the HTML to the browser, then your PHP should escape it for both JS and HTML.

If you're turning plain text to the browser then you shouldn't escape it with the PHP at all. If the browser then goes on to insert the returned text into the DOM with client-side JS then any escaping that needs doing is something that should be done by the client-side JS.

Likewise if you're returning JSON that the client-side JS parses and then inserts into the HTML then the PHP should handle any escaping for the JSON and the client-side JS should handle any escaping for the HTML.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Got your point. I guess it's better to escape them in front-end since a value can be used in different context such as html, html attr or js.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.