Weave Code
Code Weaver
Helps Laravel developers discover, compare, and choose open-source packages. See popularity, security, maintainers, and scores at a glance to make better decisions.
Feedback
Share your thoughts, report bugs, or suggest improvements.
Subject
Message
Log in Register
Home
Packages
Laminas Escaper
Assessments

Laminas Escaper Laravel Package

laminas/laminas-escaper

Securely escape untrusted data for HTML, HTML attributes, JavaScript, CSS, and URLs to prevent XSS. Laminas Escaper provides robust, context-aware escaping utilities for PHP apps and templates.

View on GitHub
Deep Wiki
Context7

Getting Started

  1. Install via Composer: composer require laminas/laminas-escaper
  2. First use case: Escape user-provided data in a template before outputting to HTML 
    use Laminas\Escaper\Escaper;
$escaper = new Escaper('UTF-8');
echo $escaper->escapeHtml($userInput); // e.g., "<script>alert(1)</script>" → "&lt;script&gt;..."
  3. Key entry point: Instantiate Laminas\Escaper\Escaper — no bootstrapping or config required. Start with escapeHtml() in templates or response rendering.

Implementation Patterns

  • Templating integration: Use in custom or third-party templating engines (e.g., Twig, Blade) by registering an Escaper helper.
    Example for custom PHP templates: 
    // views/user/profile.php
<h1><?= $escaper->escapeHtml($user->name) ?></h1>
<input value="<?= $escaper->escapeHtmlAttr($user->bio) ?>">
  • Lazy escaping in APIs: Escape only when outputting to the browser (not during business logic).
  • Context-aware chaining: Use the right method for the context:
    • escapeHtml() → HTML text nodes
    • escapeHtmlAttr() → HTML attribute values
    • escapeJs() → JavaScript strings/variables
    • escapeCss() → CSS properties/values
    • escapeUrl() → URL query parameters (note: not for entire URLs — use rawurlencode() first)
  • View helper pattern: Wrap Escaper in a service or view helper (e.g., $view->e($var, 'html')) for brevity.

Gotchas and Tips

  • Never escape input: Only escape output. Escaping before storage breaks data integrity and can cause double-encoding issues later.
  • Double-encoding risk: Avoid calling escape*() on already-escaped data. Test with known payloads like "<", "&", or " onclick=alert(1)".
  • UTF-8 is mandatory: Always instantiate with 'UTF-8' (or set default via config). Non-UTF-8 input may lead to insecure fallbacks.
  • Avoid escapeHtml() for attributes: Use escapeHtmlAttr() — it handles quotes and edge cases (", ', ) correctly.
  • Never combine with raw json_encode() in JS: For injecting PHP arrays into JavaScript, use json_encode() first, then escapeJs() on the string — but better yet, use escapeHtml() + <script type="application/json"> for safer embed.
  • Custom contexts: Extend Escaper to support frameworks-specific contexts (e.g., Markdown, SQL parameter values) — but do not reuse for SQL (use PDO/Prepared Statements instead).
  • Debugging tip: Use var_dump($escaper->escapeHtml('<img src=x onerror=alert(1)>')) to quickly verify escaping behavior during development.
Weaver

How can I help you explore Laravel packages today?

Conversation history is not saved when not logged in.
Prompt
Add packages to context
No packages found.
davejamesmiller/laravel-breadcrumbs
artisanry/parsedown
christhompsontldr/phpsdk
enqueue/dsn
bunny/bunny
enqueue/test
enqueue/null
enqueue/amqp-tools
milesj/emojibase
bower-asset/punycode
bower-asset/inputmask
bower-asset/jquery
bower-asset/yii2-pjax
laravel/nova
spatie/laravel-mailcoach
spatie/laravel-superseeder
laravel/liferaft
nst/json-test-suite
danielmiessler/sec-lists
jackalope/jackalope-transport