Php makes you go out of your way to escape the output. To properly escape data
outputted to a HTML document, <?=$some_variable?> becomes
<?=htmlspecialchars($some_variable, ENT_QUOTES)?>. Sometimes developers make
shorted helper functions, such as <?=h($some_variable)?>. That's still more
than I would like to do 99% of the time I output data.
SafePhp tags were designed around the following ideas:
- Most output in views should be escaped.
- The default output tag should escaped the data
SafePhp examples:
<%=$escape_this_variable%>
<%==$dont_escape_this%>
<%if(...):%>
<%foreach(...):%>
Installation instructions:
- Open system/core/Loader.php
- look for this block:
else
{
include($_ci_path); // include() vs include_once() allows for multiple views with the same name
}
- just above that 'else' and below the '}' on the line above it, place the following:
else if(config_item('rewrite_safephp_tags') == TRUE)
{
$this->load->helper('safephp');
include("safephp://{$_ci_path}");
}
SafePhp extensions are now installed. To be used, they need to be enabled in application/config/config.php
- open application/config/config.php
- at the end of the file place the following:
$config['rewrite_safephp_tags'] = true;
Provided with these libs is a testpage. In your browser, go to
$CI_ROOT/index.php/safephptest. If the description matches the
output, you're good to go.