<p>For HTML output, apply context-aware escaping: use HTML entity encoding for text and attributes, and combine with JavaScript escaping in scripts; 2. For JSON, always use built-in serializers and escape special characters like </p> <p><img src="/static/imghw/default1.png" data-src="https://img.php.cn/upload/article/000/000/000/175364898234231.jpg" class="lazy" alt="Context is King: Tailoring Escape Strategies for HTML, JSON, and SQL Output"></p> <p>When building web applications, generating dynamic output is unavoidable — whether it’s rendering user data in HTML, serving APIs with JSON, or storing information in SQL databases. But here’s the catch: <strong>the same data can be dangerous in different contexts</strong>. A string that’s perfectly safe in JSON might be a ticking time bomb in HTML. That’s why one-size-fits-all escaping doesn’t work. <strong>Context is king</strong> — and your escape strategy must adapt accordingly.</p> <img src="/static/imghw/default1.png" data-src="https://img.php.cn/upload/article/000/000/000/175364898389353.jpeg" class="lazy" alt="Context is King: Tailoring Escape Strategies for HTML, JSON, and SQL Output"><p>Let’s break down how and why escaping differs across HTML, JSON, and SQL — and what you should actually do to stay safe in each.</p> <hr> <h3 id="HTML-Output-Beware-of-Injection-Points">1. HTML Output: Beware of Injection Points</h3> <p>When user-generated content is inserted into HTML, the main threat is <strong>Cross-Site Scripting (XSS)</strong>. The danger lies in how and where the data is placed.</p> <img src="/static/imghw/default1.png" data-src="https://img.php.cn/upload/article/000/000/000/175364898481960.jpeg" class="lazy" alt="Context is King: Tailoring Escape Strategies for HTML, JSON, and SQL Output"><h4 id="Key-Rule-Escape-based-on-context-within-HTML">Key Rule: Escape based on context within HTML</h4> <ul> <li> <strong>In text content</strong>: Use HTML entity encoding (<code> → <code>, <code>></code> → <code>></code>, <code>&</code> → <code>&</code>, etc.)</code></code> </li> <li> <strong>In attributes</strong>: Still use entity encoding, but also ensure quotes are escaped (<code>"</code> → <code>"</code>) if inside double quotes</li> <li> <strong>In JavaScript blocks or event handlers</strong>: This is a <em>nested context</em> — you need both HTML and JavaScript escaping</li> <li> <strong>In URLs (e.g., href, src)</strong>: Validate and sanitize protocols (block <code>javascript:</code>), and URL-encode where necessary</li> </ul> <h4 id="Example">Example:</h4><pre class='brush:php;toolbar:false;'><!-- Unsafe --> <div>Hello <script>alert('xss')</script></div> <!-- Safe after HTML escaping --> <div>Hello <script>alert('xss')</script></div></pre><p>? <strong>Pro tip</strong>: Use templating engines (like Django templates, React, or Handlebars) that auto-escape by default — but verify they’re context-aware. Never use <code>innerHTML</code> with raw user input.</p><hr /><h3 id="JSON-Output-Watch-for-Script-Breakouts">2. JSON Output: Watch for Script Breakouts</h3><p>JSON is often seen as “safe” because it’s just data — but when embedded in HTML or served in responses parsed by JavaScript, it can still lead to XSS.</p><img src="/static/imghw/default1.png" data-src="https://img.php.cn/upload/article/000/000/000/175364898550303.jpeg" class="lazy" alt="Context is King: Tailoring Escape Strategies for HTML, JSON, and SQL Output" /><h4 id="Key-Rule-Escape-control-characters-and-HTML-sensitive-chars">Key Rule: Escape control characters and HTML-sensitive chars</h4><ul><li>Encode <code><</code>, <code>></code>, and <code>&</code> as <code>\u003c</code>, <code>\u003e</code>, <code>\u0026</code> when JSON is embedded in HTML (e.g., in a script tag)</li><li>Always set correct <code>Content-Type: application/json</code> to prevent MIME-type sniffing</li><li>Escape U 2028 (line separator) and U 2029 (paragraph separator) — these can break JavaScript parsers</li></ul><h4 id="Example">Example:</h4><pre class='brush:php;toolbar:false;'>// Dangerous if not escaped <script> var userData = {"name": "<script>alert(1)</script>"}; </script> // Safe with proper escaping var userData = {"name": "\u003cscript\u003ealert(1)\u003c/script\u003e"};</pre><p>? Use built-in JSON serializers (<code>JSON.stringify()</code> in JS, <code>json_encode()</code> in PHP, etc.) — they handle most of this correctly <em>if used properly</em>. But never concatenate JSON from strings — always serialize structured data.</p><hr /><h3 id="SQL-Queries-Never-Trust-Strings">3. SQL Queries: Never Trust Strings</h3><p>SQL injection remains a top vulnerability. The issue? User input gets interpreted as executable code.</p><h4 id="Key-Rule-Use-parameterized-queries-not-escaping">Key Rule: Use parameterized queries — not escaping</h4><ul><li>Forget manual escaping (like <code>mysql_real_escape_string</code>) — it’s error-prone and outdated</li><li>Use <strong>prepared statements</strong> with <strong>parameterized queries</strong></li><li>Parameters are sent separately from the query structure, so they’re never parsed as SQL</li></ul><h4 id="Example-Python-with-psycopg">Example (Python with psycopg2):</h4><pre class='brush:php;toolbar:false;'># ? Dangerous query = f"SELECT * FROM users WHERE name = '{name}'" cursor.execute(query) # ? Safe cursor.execute("SELECT * FROM users WHERE name = %s", (name,))</pre><p>?? ORM libraries (like SQLAlchemy, Django ORM, or Entity Framework) also help by defaulting to safe patterns — but watch out for raw SQL sections.</p> <hr> <h3 id="Summary-Match-the-Escape-to-the-Context">Summary: Match the Escape to the Context</h3> <table> <thead><tr> <th>Context</th> <th>Primary Threat</th> <th>Safe Strategy</th> </tr></thead> <tbody> <tr> <td>HTML</td> <td>XSS</td> <td>Context-aware HTML escaping; use auto-escaping templates</td> </tr> <tr> <td>JSON</td> <td>Script injection in HTML/JS</td> <td> <code>\u</code> escaping for special chars; always use JSON serializer</td> </tr> <tr> <td>SQL</td> <td>SQL injection</td> <td>Parameterized queries — never string concatenation</td> </tr> </tbody> </table> <p>You can’t just “escape everything” with one function and call it a day. The same user input — say, <code>O'Reilly <script>test</script></code> — needs:</p> <ul> <li>Apostrophe handled in SQL (via parameters)</li> <li>Tags escaped in HTML</li> <li>Possibly escaped in JSON if embedded in a page</li> </ul> <p><strong>Bottom line</strong>: Always ask: <em>Where is this going?</em> The output context dictates the defense. Get that right, and you’re already ahead of most breaches.</p> <p>Basically, it’s not about escaping — it’s about <strong>understanding the language of the destination</strong>.</p>

The above is the detailed content of Context is King: Tailoring Escape Strategies for HTML, JSON, and SQL Output. For more information, please follow other related articles on the PHP Chinese website!