Wikimedia Developer Support

Escaping strings - Which method to use?

mediawiki

#1

Given a string, there are currently four different ways of escaping the content:

  1. Use htmlspecialchars directly
  2. Use HtmlArmor, which uses htmlspecialchars
  3. Just pass the string to Html::element (or Xml::element)
  4. (for messages only) Use Message::escaped

Which one of the given approaches is the right way to escape?
Html::element doesn’t call htmlspecialchars at all, HtmlArmor uses different parameters than Message::escaped, and htmlspecialchars can be called without the options used by HtmlArmor or Message::escaped.

To make matters even more confusing, Xml::element does call htmlspecialchars, with the same options as HtmlArmor does.


#2

Just pass the string to Html::element (which is documented as doing HTML escaping, so I don’t think there’s anything particularly confusing there).


#3

Looking at Html::element, the escaping consists of replacements of the < and &, yet the escaping functionality of Message::toString uses htmlspecialchars (with an encoding specified). htmlspecialchars handles a bit more than Html::element. So, the output of Message::escaped wouldn’t necessarily match the content that would be put in an HTML element using Html::element.

Is that okay? It seems to me that the escaping should be consistent no matter what method is used.


#4

Why should it? In one case you are escaping HTML tag content, in the other an arbitrary string.