Skip to main content

Cheat sheet

Quick reference if you just need to know how to escape stuff!

Do's and Don'ts

  • Use only query_result_no_html and fetchByAssoc(..., -1, false) or fetchByAssocNoHtml, we don't want that pesky to_html function to be called
  • Do not generate html strings in php, use templates or HtmlString::build
  • Do not echo html code in PHP, use Smarty
  • Do not use VStr::toJsAttr method
  • Do not try to build js code from PHP, use .js files or <script> tags in templates
  • Do not use html_entity_decode, htmlentities, htmlspecialchars, addslashes, it's probably not needed (unless you are working on legacy code)
  • Do not use to_html, from_html, decode_html , these were always a bad idea

How to's:

In How do I handle... ? ... like this:

Smarty, html code




 standard variable {$VARIABLE}
variable, but it's a HtmlString {$VARIABLE}
variable, but it's a string and already html

{$VARIABLE nofilter}

or

{$VARIABLE|rawhtml}
{capture} blocks

 

{capture assign="capname"}
  <div>.... html code {$VARIABLE} </div>
{capture}

{$capname nofilter}




Smarty,

inside <script>


 string variable var myvar = '{$VARIABLE}';
object or array variable var mylist = {$VARIABLE|json_encode};
string inside url

var url = "index.php?module={$VARIABLE|escape:"url"}";



Smarty,

js in attributes

 string variable

 

{* using escape in "javascript" mode *}
<span onclick="myFunction('{$PARAM|escape:"javascript"}')">Link</span>

{* using out VStr::toJs method *}
<span onclick="myFunction2('{VStr::toJs($PARAM)}')">Link2 </span>
string in url 
<span onclick="location.href='index.php?mode={$MODPARAM|escape:"url"|escape:"javascript"};>Link 3</span>

Back to top