Raydium Framework

Esc
in package

https://github.com/devuri/esc/tree/main

Table of Contents

attr()  : mixed
Escape HTML attribute values Use specific helpers (attrId, attrUrl, etc) when available.
attrClass()  : mixed
Sanitize HTML classes (safe without extra escaping) Normalizes whitespace, validates tokens.
attrId()  : mixed
Sanitize HTML ID (safe without extra escaping) Ensures ID starts with letter.
attrUrl()  : mixed
Escape URL for attributes (alias of url()).
css()  : mixed
Sanitize CSS values (very restrictive) Blocks: url(), calc(), and complex syntax Use cssColor() or cssLength() for specific types.
cssColor()  : mixed
Validate CSS color values Supports: hex, rgb/rgba, common named colors Always combine with attr() for inline styles.
cssLength()  : mixed
Validate CSS length values Supports: px, em, rem, %, vh, vw, and other units Always combine with attr() for inline styles.
filename()  : mixed
Sanitize filenames for safe filesystem operations Removes path traversal and special characters.
html()  : mixed
Escape HTML content between tags.
js()  : mixed
Escape JS string content (returns unwrapped content).
json()  : mixed
JSON-encode for JavaScript (primary method for JS data) Safe in <script> tags and attributes.
like()  : mixed
Escape LIKE wildcards (%, _) MUST be used with prepared statements.
slug()  : mixed
Create URL-safe slug Still needs html() when outputting to HTML.
sqlIdentifier()  : mixed
Sanitize SQL identifiers (table/column names).
stripTags()  : mixed
Strip HTML tags (NOT an XSS sanitizer) Use html() for XSS protection instead.
textarea()  : mixed
Escape textarea content (preserves newlines).
url()  : mixed
Validate and escape URLs for href/src Blocks: javascript:, data:, vbscript:, protocol-relative (by default) Allows: http, https, mailto, tel, ftp.

Methods

attr()

Escape HTML attribute values Use specific helpers (attrId, attrUrl, etc) when available.

public static attr(mixed $string) : mixed
Parameters
$string : mixed
Tags
example

echo '';

Return values
mixed

attrClass()

Sanitize HTML classes (safe without extra escaping) Normalizes whitespace, validates tokens.

public static attrClass(mixed $classes) : mixed
Parameters
$classes : mixed
Tags
example

echo '

';

Return values
mixed

attrId()

Sanitize HTML ID (safe without extra escaping) Ensures ID starts with letter.

public static attrId(mixed $id) : mixed
Parameters
$id : mixed
Tags
example

echo '

';

Return values
mixed

attrUrl()

Escape URL for attributes (alias of url()).

public static attrUrl(mixed $url[, mixed $allowProtocolRelative = false ]) : mixed
Parameters
$url : mixed
$allowProtocolRelative : mixed = false
Tags
example

echo 'Link';

Return values
mixed

css()

Sanitize CSS values (very restrictive) Blocks: url(), calc(), and complex syntax Use cssColor() or cssLength() for specific types.

public static css(mixed $string) : mixed

Always combine with attr() for inline styles:

Parameters
$string : mixed
Tags
example

$style = 'color: ' . Esc::css($val); echo '

';

Return values
mixed

cssColor()

Validate CSS color values Supports: hex, rgb/rgba, common named colors Always combine with attr() for inline styles.

public static cssColor(mixed $color) : mixed
Parameters
$color : mixed
Tags
example

$style = 'color: ' . Esc::cssColor($color); echo '

';

Return values
mixed

cssLength()

Validate CSS length values Supports: px, em, rem, %, vh, vw, and other units Always combine with attr() for inline styles.

public static cssLength(mixed $length) : mixed
Parameters
$length : mixed
Tags
example

$style = 'width: ' . Esc::cssLength($width); echo '

';

Return values
mixed

filename()

Sanitize filenames for safe filesystem operations Removes path traversal and special characters.

public static filename(mixed $filename) : mixed
Parameters
$filename : mixed
Tags
example

$safe = Esc::filename($_FILES['upload']['name']);

Return values
mixed

html()

Escape HTML content between tags.

public static html(mixed $string) : mixed
Parameters
$string : mixed
Tags
example

echo '

' . Esc::html($content) . '
';

Return values
mixed

js()

Escape JS string content (returns unwrapped content).

public static js(mixed $string) : mixed

PREFER json() - this is for edge cases only

Parameters
$string : mixed
Tags
example

echo '<script>var x = "' . Esc::js($str) . '";</script>';

Return values
mixed

json()

JSON-encode for JavaScript (primary method for JS data) Safe in <script> tags and attributes.

public static json(mixed $value) : mixed
Parameters
$value : mixed
Tags
example

echo '<script>var data = ' . Esc::json($value) . ';</script>';

Return values
mixed

like()

Escape LIKE wildcards (%, _) MUST be used with prepared statements.

public static like(mixed $string) : mixed
Parameters
$string : mixed
Tags
example

$stmt = $pdo->prepare("SELECT * FROM users WHERE name LIKE ? ESCAPE '\\'"); $stmt->execute(['%' . Esc::like($term) . '%']);

Return values
mixed

slug()

Create URL-safe slug Still needs html() when outputting to HTML.

public static slug(mixed $string) : mixed
Parameters
$string : mixed
Tags
example

$slug = Esc::slug($title); // "hello-world"

Return values
mixed

sqlIdentifier()

Sanitize SQL identifiers (table/column names).

public static sqlIdentifier(mixed $identifier) : mixed

WARNING: Only use with whitelist validation first

Parameters
$identifier : mixed
Tags
example

$allowed = ['name', 'email', 'created_at']; if (in_array($col, $allowed, true)) { $sql = "SELECT " . Esc::sqlIdentifier($col) . " FROM users"; }

Return values
mixed

stripTags()

Strip HTML tags (NOT an XSS sanitizer) Use html() for XSS protection instead.

public static stripTags(mixed $string[, mixed $allowedTags = '' ]) : mixed
Parameters
$string : mixed
$allowedTags : mixed = ''
Return values
mixed

textarea()

Escape textarea content (preserves newlines).

public static textarea(mixed $string) : mixed
Parameters
$string : mixed
Tags
example

echo '<textarea>' . Esc::textarea($text) . '</textarea>';

Return values
mixed

url()

Validate and escape URLs for href/src Blocks: javascript:, data:, vbscript:, protocol-relative (by default) Allows: http, https, mailto, tel, ftp.

public static url(mixed $url[, bool $allowProtocolRelative = false ]) : mixed
Parameters
$url : mixed
$allowProtocolRelative : bool = false

Allow //example.com URLs

Tags
example

echo 'Link';

Return values
mixed

Search results