Q&A / strings

How should I escape visitor text in HTML?

I am printing a request parameter into a page. Which helper should I use?

Accepted answer by accepted-answer

Convert the value to a string and call encodeHtml before placing it in HTML text or attributes. Wrapping that in a short helper makes templates easier to read.
1define h(value) => string(#value)->encodeHtml2h(web_request->param('name'))
Do not put raw request params directly into HTML.

Answer by attribute-note

Attribute values need escaping too. Build the complete quoted attribute with an encoded value.
1'<input name="q" value="' + string(#q)->encodeHtml + '">'
URL values may need encodeUrl before being inserted into href query strings.

Related manual category