Hi > fixing that...), but I will note: Starting with 2.0, escaping will be > the default when retrieving variables from the view object, and you will > need to request the raw value explicitly if you need it. This is a
Thats sounds like a ZF version of magic_quotes... How do you want to deal with different escaping in javascript, css, html, xml? View script could be mix of anything i.e: <?php $this->var = '1/2"' ?> <p onclick="alert("<?php echo $this->var; ?>")"><?php echo $this->var; ?></p> <script> document.title = "<?php echo $this->var; ?>" </script> and the correct output is: <p onclick="alert("1\/2\"")">1/2"</p> <script> document.title = "1\/2\""; </script> For a proper automatic escaping you need an information about context which is very hard (impossible) to get now... html: htmlspecialchars($s, ENT_QUOTES) xml: htmlspecialchars(preg_replace('#[\x00-\x08\x0B\x0C\x0E-\x1F]+#', '', $s), ENT_QUOTES) css: addcslashes($s, "\x00..\x2C./:;<=>?...@[\\]^`{|}~") ccs inside html attributes: htmlspecialchars(addcslashes($s, "\x00..\x2C./:;<=>?...@[\\]^`{|}~"), ENT_QUOTES) javascript: json_encode($s) js inside html attributes: htmlspecialchars(json_encode($s), ENT_QUOTES); -- Ondrej Ivanic (ondrej.iva...@gmail.com)