...
Input and output sanitization should be achieved using standard PHP filters. Cake's native Sanitize:: filter has been deprecated as of Cake 3 and should be avoided. Guidelines for converting existing Cake Sanitizate:: filters to PHP filters is documented in CO-667.
For views producing html output to a browser, all user supplied content should be encoded. In most cases filter_var with FILTER_SANITIZE_FULL_SPECIAL_CHARS is appropriate:
Code Block | ||||
---|---|---|---|---|
| ||||
<?php print filter_var($var, FILTER_SANITIZE_FULL_SPECIAL_CHARS); ?> |
If output stripping is required or desired, use FILTER_SANITIZE_STRING with appropriate stripping filters, e.g.
Code Block | ||
---|---|---|
| ||
<?php print filter_var($var, FILTER_SANITIZE_STRING, FILTER_FLAG_STRIP_LOW); ?> |
See PHP filters and the PHP sanitize filters reference for more information.
PHP-isms
No Short Tags
The full PHP tag must be used.
...