Name	Name	Last commit message	Last commit date
parent directory ..
README.md	README.md
context-css.md	context-css.md
context-html-attribute.md	context-html-attribute.md
context-html.md	context-html.md
context-javascript.md	context-javascript.md
context-url.md	context-url.md
encodings.md	encodings.md
exceptions.md	exceptions.md
getting-started.md	getting-started.md
security-notes.md	security-notes.md

Name

Last commit message

Last commit date

initphp/escaper — Documentation

This directory is the developer reference for initphp/escaper. The top-level README is intentionally short; everything in depth lives here.

Index

Getting started — install, first call, the Esc facade vs. instantiating Escaper.
Per-context guides — one file per output context, with the rules the escaper applies, the threats it defeats, and runnable examples:
- HTML body context (escHtml)
- HTML attribute context (escHtmlAttr)
- JavaScript context (escJs)
- CSS context (escCss)
- URL context (escUrl)
Encodings — non-UTF-8 input/output, the supported list and how conversion is performed.
Exceptions — the exception tree and when each one is thrown.
Security notes — caveats, common misuses, and pointers to authoritative sources.

Code samples assume the autoloader has already been required.
Output shown in // comments is the literal string the escaper returns. Each sample was generated by running the escaper itself, not hand-written.
"Untrusted" means any data that has touched the network, the filesystem, a database, or anything else outside your PHP process — in other words, "almost everything".