Escaping URLs — Zend Framework 2 2.2.10 documentation

Zend\Escaper

Escaping URLs

This method is basically an alias for PHP’s rawurlencode() which has applied RFC 3986 since PHP 5.3. It is included primarily for consistency.

URL escaping applies to data being inserted into a URL and not to the whole URL itself.

Examples of Bad URL Escaping

XSS attacks are easy if data inserted into URLs is not escaped properly:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
<?php header('Content-Type: application/xhtml+xml; charset=UTF-8'); ?>
<!DOCTYPE html>
<?php
$input = <<<INPUT
" onmouseover="alert('zf2')
INPUT;
?>
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
    <title>Unescaped URL data</title>
    <meta charset="UTF-8"/>
</head>
<body>
    <a href="http://example.com/?name=<?php echo $input; ?>">Click here!</a>
</body>
</html>

Examples of Good URL Escaping

By properly escaping data in URLs by using escapeUrl, we can prevent XSS attacks:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
<?php header('Content-Type: application/xhtml+xml; charset=UTF-8'); ?>
<!DOCTYPE html>
<?php
$input = <<<INPUT
" onmouseover="alert('zf2')
INPUT;
$escaper = new Zend\Escaper\Escaper('utf-8');
$output = $escaper->escapeUrl($input);
?>
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
    <title>Unescaped URL data</title>
    <meta charset="UTF-8"/>
</head>
<body>
    <a href="http://example.com/?name=<?php echo $output; ?>">Click here!</a>
</body>
</html>

Select a version:
Select chapter:

Copyright

© 2006-2016 by Zend, a Rogue Wave Company. Made with by awesome contributors.

This website is built using zend-expressive and it runs on PHP 7.

Contacts