| name | klytos-escape-and-sanitization |
| description | Complete guide for escape and sanitization functions in Klytos CMS. Use when outputting data to HTML, processing user input, filtering HTML content, implementing CSRF protection, validating data, or protecting forms against CSRF attacks. Essential for secure output escaping, input sanitization, HTML filtering with KSES, and form security. |
Klytos Escape & Sanitization Reference
When to Use This Skill
The golden rules:
- ALWAYS escape output before rendering in HTML, attributes, URLs, or JavaScript.
- ALWAYS sanitize input before storing or processing user-provided data.
- NEVER trust external data — treat everything from
$_POST, $_GET, MCP params, and API inputs as untrusted.
Output Escaping Functions
klytos_esc_html — For HTML Body Content
klytos_esc_html(string $text): string
Converts &, <, >, ", ' to HTML entities. Safe against double-encoding.
<p><?php echo klytos_esc_html($userInput); ?></p>
klytos_esc_attr — For HTML Attributes
klytos_esc_attr(string $text): string
Same as esc_html but also strips tabs, newlines, carriage returns to prevent attribute-injection.
<input type="text" value="<?php echo klytos_esc_attr($value); ?>">
klytos_esc_url — For URLs (href, src)
klytos_esc_url(string $url, array $protocols = ['http', 'https', 'mailto', 'tel']): string
Validates protocol allowlist. Rejects javascript:, data:, vbscript:. Returns empty string if invalid.
<a href="<?php echo klytos_esc_url($link); ?>">
klytos_esc_js — For JavaScript String Literals
klytos_esc_js(string $string): string
Escapes ', ", \, newlines, and </script>.
<script>var name = '<?php echo klytos_esc_js($name); ?>';</script>
klytos_esc_textarea — For Textarea Content
klytos_esc_textarea(string $text): string
Quick Reference
| Context | Function |
|---|
Inside <p>, <h1>, <span> | klytos_esc_html() |
Inside value="", data-*="" | klytos_esc_attr() |
Inside href="", src="" | klytos_esc_url() |
Inside <script> string | klytos_esc_js() |
Inside <textarea> | klytos_esc_textarea() |
Input Sanitization Functions
klytos_sanitize_text(string $text): string
klytos_sanitize_email(string $email): string
klytos_sanitize_url(string $url): string
klytos_sanitize_filename(string $name): string
klytos_sanitize_key(string $key): string
klytos_sanitize_title(string $title): string
klytos_sanitize_html(string $html): string
klytos_sanitize_int(mixed $value): int
klytos_sanitize_float(mixed $value): float
HTML Filtering (KSES)
klytos_kses — Custom Tag Allowlist
klytos_kses(string $html, array $allowedTags): string
$safe = klytos_kses($input, [
'a' => ['href' => true, 'title' => true],
'strong' => [],
'em' => [],
'p' => ['class' => true],
]);
klytos_kses_post — Page Content Allowlist
klytos_kses_post(string $html): string
Allowed (~40 tags): h1-h6, p, br, hr, a, img, ul, ol, li, table, thead, tbody, tr, th, td, strong, em, b, i, u, s, blockquote, pre, code, span, div, section, article, header, footer, nav, main, aside, figure, figcaption, video, audio, source, details, summary, mark, small, sub, sup, dl, dt, dd.
Excluded: script, style, iframe, form, object, embed, svg.
Extendable via kses_post_allowed_tags filter.
CSRF Protection
klytos_csrf_field(): string
klytos_verify_csrf(): bool
<form method="POST">
<?php echo klytos_csrf_field(); ?>
<button type="submit">Save</button>
</form>
if ($_SERVER['REQUEST_METHOD'] === 'POST' && klytos_verify_csrf()) {
}
IMPORTANT: Every POST form in admin MUST include CSRF protection.
Validation Helpers
klytos_is_email(string $email): bool
klytos_is_url(string $url): bool
Complete Example: Secure Form
<?php
if ($_SERVER['REQUEST_METHOD'] === 'POST' && klytos_verify_csrf()) {
$name = klytos_sanitize_text($_POST['name'] ?? '');
$email = klytos_sanitize_email($_POST['email'] ?? '');
$count = klytos_sanitize_int($_POST['count'] ?? 0);
if ($name === '') { $error = 'Name required'; }
elseif (!klytos_is_email($email)) { $error = 'Invalid email'; }
else {
klytos_set_option('my-plugin.name', $name);
klytos_set_option('my-plugin.email', $email);
$success = 'Saved';
}
}
$name = klytos_get_option('my-plugin.name', '');
?>
<form method="POST">
<?php echo klytos_csrf_field(); ?>
<input name="name" value="<?php echo klytos_esc_attr($name); ?>">
<button type="submit" class="btn btn-primary">Save</button>
</form>
Source Files
- Escape/sanitization:
core/helpers.php (lines 423-944)
- Global wrappers:
core/helpers-global.php
- KSES tags:
core/helpers.php (line 709)
- CSRF:
core/helpers.php (lines 913-944)