Weave Code
Code Weaver
Helps Laravel developers discover, compare, and choose open-source packages. See popularity, security, maintainers, and scores at a glance to make better decisions.
Feedback
Share your thoughts, report bugs, or suggest improvements.
Subject
Message
Log in Register
Home
Packages
Zend Escaper
Assessments

Zend Escaper Laravel Package

zendframework/zend-escaper

Zend Escaper is a PHP library for context-aware escaping to help prevent XSS. Escape HTML, HTML attributes, JavaScript, CSS, and URLs with reliable encoders, making it easy to safely output untrusted data in templates and web responses.

View on GitHub
Deep Wiki
Context7

Getting Started

  • Install via Composer: composer require zendframework/zend-escaper
  • The component provides security-focused escaping for output contexts (HTML, JS, CSS, URL, and raw data)
  • Start by instantiating \Zend\Escaper\Escaper — it's stateless and thread-safe, so one instance can be reused (e.g., via dependency injection or a singleton)
  • First use case: escaping user-provided data before embedding in HTML: 
    $escaper = new \Zend\Escaper\Escaper('utf-8');
echo $escaper->escapeHtml($userInput); // Safely outputs as HTML text content

Implementation Patterns

  • Context-Aware Escaping: Use the appropriate method for the output context:
    • escapeHtml() for HTML element content (not attributes)
    • escapeHtmlAttr() for HTML attributes
    • escapeJs() for JavaScript string literals
    • escapeCss() for CSS property values
    • escapeUrl() for URL query parameters or full URLs (with validation)
    • escapeHtmlLower() / escapeHtmlUpper() for less common cases (rarely needed)
  • Integration with Frameworks:
    • In Laravel: Bind Escaper as a singleton in a service provider; create a e() helper wrapping $escaper->escapeHtml() if replacing Blade’s default {{ }}
    • In Symfony: Register as a service; use in templates via escapeHtml() in custom Twig filters
  • Consistency: Wrap all untrusted output — never assume $变量, $request->input(), or DB results are safe
  • Batch Escaping: When rendering multiple values, inject a shared Escaper instance rather than creating many — performance is negligible, but reuse avoids duplication

Gotchas and Tips

  • Do NOT use escapeHtml() for attributes — use escapeHtmlAttr() or htmlspecialchars() with ENT_QUOTES manually. escapeHtml() intentionally does not escape quotes, assuming HTML content context
  • No auto-escaping in templates — this is a manual escaping library; unlike modern frameworks (e.g., Blade, Twig), it doesn’t hook into view rendering automatically — disciplined adherence required
  • Encoding matters: Always specify 'utf-8' (or your app’s encoding) in the constructor — default may break non-ASCII content
  • Deprecated but stable: Since Zend Framework is archived, prefer laminas/laminas-escaper instead (same API, maintained by Laminas Project); zendframework/zend-escaper will continue to work but won’t receive updates
  • Debugging: Escaped output that looks “broken” (e.g., & instead of &) usually means double-escaping — trace whether data was already escaped before reaching the escaper
  • Extension point: Subclass Escaper to add domain-specific escaping (e.g., escapeMarkdown()), but avoid overriding core methods — extend only with new methods
Weaver

How can I help you explore Laravel packages today?

Conversation history is not saved when not logged in.
Prompt
Add packages to context
No packages found.
davejamesmiller/laravel-breadcrumbs
artisanry/parsedown
bower-asset/punycode
bower-asset/inputmask
bower-asset/jquery
bower-asset/yii2-pjax
laravel/nova
spatie/laravel-mailcoach
spatie/laravel-superseeder
laravel/liferaft
nst/json-test-suite
danielmiessler/sec-lists
jackalope/jackalope-transport
twbs/bootstrap4
php-http/client-implementation
phpcr/phpcr-implementation
cucumber/gherkin-monorepo
haydenpierce/class-finder
psr/simple-cache-implementation
uri-template/tests