zen of coding

Use Sanitize::html() class in the views

Update (9/16/2008): As some people pointed out it’s easier to use the h() method defined in basics.php of the core, it achieves the same basic goal, but since Sanitize class has other methods and purposes, I’m gong to leave this as an informational example and food for thought. (i.e. you could completely strip-out all dangerous characters using Sanitize for one view, while keeping the data intact for other views and in the DB).

A little example for when Sanitize::html() can be quite useful in a view of your application…

Perhaps you have some Comments form, where you wouldn’t mind if users entered something like:

[sourcecode language=”javascript”]


(Maybe it was for educational purposes only…)

Of course the common rule is to make your data safe before you save it. However, such data is perfectly fine for saving, but very dangerous for displaying back to the user. Therefore you don’t want to convert any HTML entities (i.e. ‘<') to their safe alternatives, before it goes into the DB. In the view, all you need is to call App::import(‘Sanitize’); then, you can easily do something like:

echo Sanitize::html($comment['Comment']['body']);
  • GreyCells

    Interesting. I’ve habitually been using h(…) for all outputs – totally different implementation, but functionally similar (and quicker to type :)

  • Adam

    This is an important topic to cover, but I think you should explain in more detail why people should use this method, what output it creates, and how it is different to h() or html_entities(). And maybe mention the second parameter to this method?

  • teknoid


    h()? I don’t think I’ve seen this method before… where is that defined?

  • Andreas

    it’s defined in cake/basics.php and it’s one of my most used functions.
    Is there any advantage in using Sanitize::html()?

  • teknoid


    Hmm… well I guess the API is not quite up to date, as there is no mention of it here: http://api.cakephp.org/basics_8php.html

    I did find the function in my local core, so it should be fine to use if one is available (certainly more convenient). The functions are slightly different in the way they are implemented, but I think for basic usage it’s just fine.

    Thanks GreyCells and Andreas, I’ve updated the post to reflect that.

  • teknoid


    Thanks, I’ve made the update to the post

  • Another option is Helper::clean(). It doesn’t escape it just destroys, it functions much like strip_tags and it blows up nasty attributes as well. So if you want to strip instead of safety, that’s an option to.

  • teknoid

    @Mark Story

    Thanks. Good to know.

  • charbel

    what the opposite of Sanitize::html, i want to restore the html tags?

  • great post man, i think your writing is really great, and i’d love to read more! hope you keep up the posting and keep up the good work, because this post has some really good quality!

%d bloggers like this: