Wikimedia Developer Support

Escaping strings - Which method to use?



Given a string, there are currently four different ways of escaping the content:

  1. Use htmlspecialchars directly
  2. Use HtmlArmor, which uses htmlspecialchars
  3. Just pass the string to Html::element (or Xml::element)
  4. (for messages only) Use Message::escaped

Which one of the given approaches is the right way to escape?
Html::element doesn’t call htmlspecialchars at all, HtmlArmor uses different parameters than Message::escaped, and htmlspecialchars can be called without the options used by HtmlArmor or Message::escaped.

To make matters even more confusing, Xml::element does call htmlspecialchars, with the same options as HtmlArmor does.


Just pass the string to Html::element (which is documented as doing HTML escaping, so I don’t think there’s anything particularly confusing there).


Looking at Html::element, the escaping consists of replacements of the < and &, yet the escaping functionality of Message::toString uses htmlspecialchars (with an encoding specified). htmlspecialchars handles a bit more than Html::element. So, the output of Message::escaped wouldn’t necessarily match the content that would be put in an HTML element using Html::element.

Is that okay? It seems to me that the escaping should be consistent no matter what method is used.


Why should it? In one case you are escaping HTML tag content, in the other an arbitrary string.