====== Escaping output ======

It is your job to escape output in Solar views to prevent [[http://en.wikipedia.org/wiki/Cross-site_scripting|Cross Site Scripting]]

Use the built in escape helper.

<php>
    echo $this->escape($potentially_unsafe_value);
</php>

===== View Helpers that do not escape output =====

As a general rule, all Solar view helpers that output html escape their output.  Here are the exceptions.  Be careful with these helpers.

==== getTextRaw ====

getTextRaw allows a translated string to contain html.  One thing to watch out for is that data passed to the replacements parameter of getTextRaw will not be escaped.

One must pre-escape replacement values before calling getTextRaw().  One must NOT pre-escape replacement values when calling getText() to avoid double escaping for this function.

==== publicHref ====

publicHref can return raw values if the second parameter is TRUE.  A variety of other helpers use this feature.

==== linkStylesheet ====

linkStylesheet does not escape its href parameter.


==== scriptInline ====

scriptInline does not escape its code parameter.

==== style ====

linkStylesheet does not escape its href parameter.


===== View Helpers that do not return HTML =====

==== head ====

The head view helper does not return HTML.

===== Double escaping output =====

One thing to watch for is passing already escaped output to a view helper that will escape the output again.

<php>
echo $this->anchor($href, $this->escape($title));
</php>

Here, $title will be escaped twice, perhaps causing unwanted output.