How to know when to escape HTML entities?

Question

I just found that some code I had added to a theme was not escaped and thus open to HTML injection and XSS (although in my particular case it would only affect the hacker, not anyone else). I had this code:

$handle = qa_get_logged_in_handle();
$this->output('etc ' . $handle . ' etc');

 

I have now added the qa_html function to escape $handle. But how am I supposed to know which content is already escaped, and which is not? I see code like this in Q2A's theme, it's not obvious whether the title has already been escaped:

$headtitle=(strlen($pagetitle) ? ($pagetitle.' - ') : '').$this->content['site_title'];
$this->output('<TITLE>'.$headtitle.'</TITLE>');

 

 

Answer 1

Really good question. The answer is that anything in the theme which comes from the $theme->content nested array (built up as $qa_content elsewhere in the code base) is already escaped for HTML output, and nothing else is.

An exception: if the chain of keys leading up to a particular item in $theme->content has the word raw anywhere in it, it will not be escaped for HTML.

For example:

$this->content['q_list']['qs'][3]['title'] is ready for direct output

$this->content['q_list']['qs'][3]['raw']['title'] is not

Comments

OK thanks! Glad there's a simple rule :)