views:

754

answers:

1

I have a controller and a view; the data that I'm working with inside the controller can't be trusted (it's drawn from somewhere external, and isn't $_GET or $_POST).

How do I escape the data when printing it in the view to ensure that tags and other things are escaped properly? I'm used to Zend_View's $this->escape($foo), which is used from inside the view, so I'm still trying to get my bearings. My preference is to escape it from within the view, as I use the data, but if that's not an option I'll do it within the controller.

(I've discovered the filtering for $this->input, but as the data isn't coming from $_GET/$_POST it's not much use to me. :-) Unfortunately, the examples I've seen so far have all been using a controller putting static data into an array, which is then passing to the view, eg. $data['foo'] = 'Example')

Any ideas?

Edit: I'm asking because I don't particularly relish using html_entities($str, ENT_QUOTES, 'utf-8') everywhere (along with mb_convert_encoding() and friends), but I guess I'll create a custom helper if needed.

Edit #2: The data is a bunch of strings (that may contain anything from straight alphanumeric characters, to <b>foo</b>, to <script>alert('xsslol');</script>.

I need to escape these strings to print them within, say, table cells, not allowing any HTML tags to be printed (converting tags into their HTML entity equivalents).
If I were working with bare PHP, I'd use htmlentities() for this, as per my edit above.

+2  A: 

Without knowing the nature of the data you're getting and how it should display, it's sort of hard to answer this.

You can still use the input class xss_clean method anywhere, since the default is to have it initialized. You could do this in the controller before you send it to the view or in the view:

echo $this->input->xss_clean($mystery_data);

Note: xss_clean is not running automatically on POST and COOKIE data unless you've set this in your apps config file:

$config['global_xss_filtering'] = TRUE;

You can take a look at it in system/libraries/Input.php, it's pretty thorough.

mrinject
My apologies, I should've been more specific. Please see the second edit above. (xss_clean() by itself doesn't do the escaping I need.)
Rob Howard
In that case then I would probably make a helper like you said in the first edit.
mrinject