How should I escape visitor text in HTML?
I am printing a request parameter into a page. Which helper should I use?
Accepted answer by accepted-answer
Convert the value to a string and call encodeHtml before placing it in HTML text or attributes. Wrapping that in a short helper makes templates easier to read.
1define h(value) => string(#value)->encodeHtml2h(web_request->param('name'))Do not put raw request params directly into HTML.
Answer by attribute-note
Attribute values need escaping too. Build the complete quoted attribute with an encoded value.
1'<input name="q" value="' + string(#q)->encodeHtml + '">'URL values may need encodeUrl before being inserted into href query strings.