CakePHP has a global function called h. It's a convenience method for htmlspecialchars. CakePHP also has a utility called Sanitize, which has a method called html. Here is part of its description:
This method prepares user-submitted data for display inside HTML. This is especially useful if you don’t want users to be able to break your layouts or insert images or scripts inside of your HTML pages.
When should each be used? Is one better than the other?
Sanitize::html() is more versatile: it lets you strip the HTML completely (via remove option), and lets you specify the how it handles quoting.
See the source code:h(): http://api.cakephp.org/2.3/source-function-h.html#160-199Sanitize::html(): http://api.cakephp.org/2.3/source-class-Sanitize.html#83-122
EDIT:h(): calls htmlspecialchars()Sanitize::html(): calls htmlentities()
For discussion on differences, see: htmlentities() vs. htmlspecialchars()
来源:https://stackoverflow.com/questions/17159548/cakephp-h-vs-sanitizehtml