yii2 - Why use yii\helpers\Html instead of just typing

Question

Just a basic newbie question to understand the reasoning. Why should one use HTML helpers available in Yii2, or can't we just type the tags if we are strong in our HTML skills.

Example: Seen in the basic views...

<h1><?= Html::encode($this->title) ?></h1>

Why should I not just type...

<h1>My Title</h1>

Answer 1

It's really up to you.

But using the framework helpers, widgets and coding styles, you can keep code consistency, reduce errors, bugs and even lower the security risks.

Using your example.

Imagine that $this->title is set to the name of a user in your main layout file:

<?php $this->title = $user->name; ?>

<h1><?= $this->title ?></h1>

Now, let's imagine that an user managed to set his username to <script>console.log('I can steal your cookies now!');</script>NotAHacker in the registration form (also because you decided to save directly to the database instead of using the framework).

That will render the following:

<h1><script>console.log('I can steal your cookies now!');</script>NotAHacker</h1>

And you will see just this:

NotAHacker

And in the javascript console will appear I can steal your cookies now!

That's a major security risk! The bad people out there can steal your cookies information, record activity, steal passwords, etc.

But that could be easily fixed, using the framework way.

<?php $this->title = $user->name; ?>

<h1><?= Html::encode($this->title) ?></h1>

And that will render:

<h1>&lt;script&gt;console.log(&#39;I can steal your cookies now!&#39;);&lt;/script&gt;NotAHacker</h1>

And you will see:

<script>console.log('I can steal your cookies now!');</script>NotAHacker

But nothing will be executed!

So, what's the point? Frameworks like Yii2 develop their helpers and widgets so you can trust them that nothing bad will happen while you use their methods (and because if you ever come across encoding problems, you will love this helpers classes). This is crucial in a production environment, when you have a lot of variables and you can't let anything slip through your fingers.

TL;DR: If you trust your framework, use their available methods everytime you can.

Answer 2

First of all you would not use the dynamic title property but hardcode a string. Second, if you use a variable or property to output in your view, then using the Html::encode() helper will prevent cross side scripting (XSS) attacks because any HTML in the variable will be escaped before outputting.

Answer 3

This is to prevent XSS attacks.

If the data not for user client, and you have control for it. for example id or date, ... you can echo it safely:

<?php
echo $title;
?>

If the data entry by user and it's anything, you must encode it:

<?php
$title = "<h1><script>alert(1);</script>Hi!</h1>";
echo \yii\helpers\Html::encode($title);
?>

Output: "<h1><script>alert(1);</script>Hi!</h1>"
And show it in browser: "<h1><script>alert(1);</script>Hi!</h1>" (without execution and it's safe)

But if you want get HTML data from users and want to sure is it safe, use this code:

<?php
$title = "<h1><script>alert(1);</script>Hi!</h1>";
echo \yii\helpers\HtmlPurifier::process($title);
?>

Output: "<h1>Hi!</h1>"
And show it in browser: "Hi!" (execute this code but you can see remove script tag and others something it's in security risk. so it's safe.)