|
|
Zend Framework 2 Documentation (Manual) | |
|
File: /_sources/modules/zend.escaper.escaping-url.txt
Size: | 1714 |
Storage flags: | no_autoload,compress/gzip (38%) |
.. _zend.escaper.escaping-url:
Escaping URLs
=============
This method is basically an alias for PHP's ``rawurlencode()`` which has applied RFC 3986 since PHP 5.3. It is
included primarily for consistency.
URL escaping applies to data being inserted into a URL and not to the whole URL itself.
.. _zend.escaper.escaping-url.bad-examples:
Examples of Bad URL Escaping
----------------------------
XSS attacks are easy if data inserted into URLs is not escaped properly:
.. code-block:: php
:linenos:
<?php header('Content-Type: application/xhtml+xml; charset=UTF-8'); ?>
<!DOCTYPE html>
<?php
$input = <<<INPUT
" onmouseover="alert('zf2')
INPUT;
?>
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Unescaped URL data</title>
<meta charset="UTF-8"/>
</head>
<body>
<a href="http://example.com/?name=<?php echo $input; ?>">Click here!</a>
</body>
</html>
.. _zend.escaper.escaping-url.good-examples:
Examples of Good URL Escaping
-----------------------------
By properly escaping data in URLs by using ``escapeUrl``, we can prevent XSS attacks:
.. code-block:: php
:linenos:
<?php header('Content-Type: application/xhtml+xml; charset=UTF-8'); ?>
<!DOCTYPE html>
<?php
$input = <<<INPUT
" onmouseover="alert('zf2')
INPUT;
$escaper = new Zend\Escaper\Escaper('utf-8');
$output = $escaper->escapeUrl($input);
?>
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Unescaped URL data</title>
<meta charset="UTF-8"/>
</head>
<body>
<a href="http://example.com/?name=<?php echo $output; ?>">Click here!</a>
</body>
</html>
For more information about the PHK package format: http://phk.tekwire.net