Escaping Data

I just need a little clarification on when to use html_escape. On my browse.php I have the following:

<?php if($search=$_GET['search']||$sort=$_GET['sort_field']||$advanced=$_GET['advanced']||$collection=$_GET['collection']||$tags=$_GET['tags']):
$imagelink = item_uri().'?'. $_SERVER['QUERY_STRING'];
echo '<div class="item-img"><a href="'.$imagelink.'">'.item_square_thumbnail(array('alt'=>item('Dublin Core', 'Title'))).'</a></div>';

Am I correct in not having html_escape before the $_SERVER['QUERY_STRING'] and also not having it before $imagelink that is part of the link? Do you only really use html_escape if you are using echo? Like echo html_escape(item_uri());?

You're basically right that you want to use html_escape when you're echoing stuff to the page (especially when that stuff comes from the user, like $_SERVER['QUERY_STRING']).

The trick here is that while you're not immediately echoing $imagelink, you are echoing it as part of the HTML in the next line, so you should be escaping it.

Thanks. I think I am beginning to understand the logic of this, however, as always, I have a few more questions. Later on in my items/browse.php I have the following:

<?php if ($collection = get_collection_by_id($_GET['collection']))
{$html .= 'Collection: '.$collection->name;}
if ($tags = html_escape($_GET['tags']))
{$html .= ' Tags: '.$tags;}
    echo $html;

Am I right in not escaping the $_GET['collection'] because it's in the if statement and it's inside the get_collection_by_id helper function? And then using html_escape on the $_GET['tags'] because it's not within a helper function?

Also in my header.php and footer.php files I've been using:

<?php echo public_nav_main(array('Home' => uri(''), 'Items' => uri('items',array('sort_field' => 'id')), 'Collections'=>uri('collections'),'Tags' => uri('items/tags?sort=alpha')));

However, I noticed over on your Github Account Page it looks like:

<?php echo public_nav_main(array(__('Home') => uri(''), __('Browse Items') => uri('items'), __('Browse Collections') => uri('collections'))); ?>

What's with the ___ before the Home etc? Is that related to escaping data as well.

What you have there isn't quite right. You definitely don't want to be escaping the collection id you pass to get_collection_by_id, so that part's right.

However, right after that, you get the collection's name and add it to the string you're going to print. That does need to be escaped, either with html_escape or the collection helper (which, like item, automatically escapes its output).

You don't need to be escaping $_GET['tags'] inside that if statement, but it doesn't really hurt anything, and you (again) should be escaping it eventually since it's part of HTML you're going to print out.

Basically, if you're using some piece of data only within PHP code, like you're passing it to another function or you're comparing a variable, you don't need to do html_escape. But if you're outputting the data and you don't know what it might contain (say, because it comes from the user or it's a piece of user-editable metadata), then you should always be escaping before outputting.

Of course, the helpers like item and collection that are specifically meant for outputting Omeka data, and they'll handle escaping for you by default.

The __ is our function for doing translations. You can read a little about it on the codex page for internationalization.

Thanks again. Since I was using the code above to post information about the collection and tags on the items/browse.php I couldn't figure out how to use the collection helper function like {$html .= 'Collection: '. collection('Name');}, so I just used html_escape instead: {$html .= 'Collection: '.html_escape($collection->name);}. And it works. I think I have an understanding now of what I should be escaping. Now I just have to go through my custom.php file, and a few other places.

Also thanks for pointing out what the __ is used for. I really had no idea what that was for.

I've been going through and replacing links like:
<a href="<?php echo html_escape(uri('items/browse')); ?>">Go to Items</a>
<?php echo link_to('items', 'browse', 'Go to Items'); ?>

However, on the login screen I'd like for the link to use https://. Is there any way to get that information in the link_to() or should I just use a static <a href="">Log In</a>?

Are you using Omeka's "ssl" configuration option in config.ini?

It won't automatically put https on the links, but it will automatically redirect to a https URL for you (with options for doing so just on the login page, on any page for a logged-in user, or on every page).

So this is the application/config/config.ini, not the one config.ini file in my theme. Currently it looks like this:

; ssl
; Secure Socket Layer support for Omeka.
; default: none
; Ensure that your server is properly configured before enabling this
; setting. Choose one of the following:
; "logins"
;   Force SSL for login forms and login form submissions.
; "sessions"
;   Force SSL for all authenticated users to protect sessions. Includes
;   login forms.
; "always"
;   Force SSL on across the entire site.
; ssl = "always"

So if I take away that last semi-colon, and use ssl=logins that should work.

Ah yes, I should have specified. Yes, I was talking about application/config/config.ini.

Taking away the semicolon and changing "always" to "logins" should make Omeka force an SSL redirect whenever anyone tries to go to the login page with a plain http URL, whether by a link or manually going directly to the address.

Thanks John, and thanks for all the help you and the others on the Omeka team have provided over the past year or so. The site I’ve been working on launched last Friday, and it wouldn’t look the way it currently does without the help you all have provided. Some of the features that came directly from discussions on these forums include:

  • Custom Next/Previous function that allows users to stay within search results
  • Links from the people depicted field
  • Sort by date in the public view
  • Random featured item gallery found throughout the site
  • Public theme log in page

There's a lot more, so if you’d like to see what all my questions ended looking like, you can check it out at Thanks again for all your help, and also thanks for all your help that I’m sure I’ll be asking for going forward.