Adopt Zend/Escaper and wrap with Format::htmlSafe()

Question

Closed this issue 4 years ago · 1 comments

The function currently uses

filter_var($string, FILTER_SANITIZE_FULL_SPECIAL_CHARS);

It would probably be a bit safer to use a zend package

Believe it or not, escaping in PHP is not terribly easy to get right

Answer 1 · 2021-03-21T11:04:18.000Z

This causes some troubles as it messes with the types of variables.
It converts integers to string breaking strongly typed inputs parameters.

$obj->get('count_id');

Used to return (int) value but now returns a string

$obj->get('id_status'); // assuming the value is "0" in the database

Used to return (int) 0, now it casts to "" (empty string)