Escape HTML Function for Browser Output Prevents XSS (Cross-Site Scripting)

I don’t know about you but my fingers get tired of escaping output by typing the long-winded htmlspecialchars($str, ENT_QUOTES, 'UTF-8'); over and over again in small PHP projects that don’t need a full-blown framework with automatic output filtering (e.g. CodeIgniter). No matter how small your project is though filtering your output is extremely important so that you prevent malicious users from executing XSS (Cross-Site Scripting) JavaScript code.

So I decided to give my fingers some relief and finally write a short little helper function and share it. See the code and example in the gist below.


    • says

      Thanks for the comment. Regarding the compression of file types that are already compressed, like JPG, there is no value since the gzip compression would most likely increase file size and increase CPU overhead by loading PHP and gzipping it. You’re better off serving all static assets from a CDN such as Amazon CloudFront.

      • says

        Hi There,

        Thanks for the reply.

        I discovered that you don’t compress images etc after I had implemented your code technique and was searching for the answer to the question.

        So, thanks for the reply and thank you very much for the code to get my gzip compression working !

        Best regards, Andrew