I have a controller and a view; the data that I'm working with inside the controller can't be trusted (it's drawn from somewhere external, and isn't $_GET
or $_POST
).
How do I escape the data when printing it in the view to ensure that tags and other things are escaped properly? I'm used to Zend_View's $this->escape($foo)
, which is used from inside the view, so I'm still trying to get my bearings. My preference is to escape it from within the view, as I use the data, but if that's not an option I'll do it within the controller.
(I've discovered the filtering for $this->input, but as the data isn't coming from $_GET
/$_POST
it's not much use to me. :-) Unfortunately, the examples I've seen so far have all been using a controller putting static data into an array, which is then passing to the view, eg. $data['foo'] = 'Example'
)
Any ideas?
Edit: I'm asking because I don't particularly relish using html_entities($str, ENT_QUOTES, 'utf-8')
everywhere (along with mb_convert_encoding()
and friends), but I guess I'll create a custom helper if needed.
Edit #2: The data is a bunch of strings (that may contain anything from straight alphanumeric characters, to <b>foo</b>
, to <script>alert('xsslol');</script>
.
I need to escape these strings to print them within, say, table cells, not allowing any HTML tags to be printed (converting tags into their HTML entity equivalents).
If I were working with bare PHP, I'd use htmlentities() for this, as per my edit above.