Alert Widget and Html::encode


I am using the Alert widget found the in the advanced template.

I’m adding informational alerts throughout my code like this:

Yii::$app->session->setFlash( 'success', 'Record "' . $model->name . '" saved.' );

It occurred to me that I probably should Html::encode the $model->name, since that is entered by the user.

From a application architecture point of view, should I modify the Alert widget to Html::encode the $message there, or Html::encode each message when I invoke setFlash?

Obviously it can be done either way, but one way is probably better.



It depends on what you want to do. If you ever want to not have it encoded and use HTML emlelmets then do it in the place you set it. If you don’t, then do it where you echo the messages. If the messages take user input then make sure you encode it.

Personally I encode all of my messages so I don’t have to worry about anything.