joseconti/klytos-escape-and-sanitization
.claude/skills/klytos-escape-and-sanitization/SKILL.md
Complete guide for escape and sanitization functions in Klytos CMS. Use when outputting data to HTML, processing user input, filtering HTML content, implementing CSRF protection, validating data, or protecting forms against CSRF attacks. Essential for secure output escaping, input sanitization, HTML filtering with KSES, and form security.
$ install --global
skillsauthnpx skillsauth add joseconti/klytos klytos-escape-and-sanitizationInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 16, 2026, 2:39 AM4.2s1 file scanned
SKILL.md
- name:
- klytos-escape-and-sanitization
- description:
- Complete guide for escape and sanitization functions in Klytos CMS. Use when outputting data to HTML, processing user input, filtering HTML content, implementing CSRF protection, validating data, or protecting forms against CSRF attacks. Essential for secure output escaping, input sanitization, HTML filtering with KSES, and form security.
Klytos Escape & Sanitization Reference
When to Use This Skill
The golden rules:
- ALWAYS escape output before rendering in HTML, attributes, URLs, or JavaScript.
- ALWAYS sanitize input before storing or processing user-provided data.
- NEVER trust external data — treat everything from
$_POST,$_GET, MCP params, and API inputs as untrusted.
Output Escaping Functions
klytos_esc_html — For HTML Body Content
klytos_esc_html(string $text): string
Converts &, <, >, ", ' to HTML entities. Safe against double-encoding.
<p><?php echo klytos_esc_html($userInput); ?></p>
klytos_esc_attr — For HTML Attributes
klytos_esc_attr(string $text): string
Same as esc_html but also strips tabs, newlines, carriage returns to prevent attribute-injection.
<input type="text" value="<?php echo klytos_esc_attr($value); ?>">
klytos_esc_url — For URLs (href, src)
klytos_esc_url(string $url, array $protocols = ['http', 'https', 'mailto', 'tel']): string
Validates protocol allowlist. Rejects javascript:, data:, vbscript:. Returns empty string if invalid.
<a href="<?php echo klytos_esc_url($link); ?>">
klytos_esc_js — For JavaScript String Literals
klytos_esc_js(string $string): string
Escapes ', ", \, newlines, and </script>.
<script>var name = '<?php echo klytos_esc_js($name); ?>';</script>
klytos_esc_textarea — For Textarea Content
klytos_esc_textarea(string $text): string
Quick Reference
| Context | Function |
|---|---|
| Inside <p>, <h1>, <span> | klytos_esc_html() |
| Inside value="", data-*="" | klytos_esc_attr() |
| Inside href="", src="" | klytos_esc_url() |
| Inside <script> string | klytos_esc_js() |
| Inside <textarea> | klytos_esc_textarea() |
Input Sanitization Functions
klytos_sanitize_text(string $text): string // Strip tags, normalize whitespace, trim
klytos_sanitize_email(string $email): string // Validate + lowercase (empty if invalid)
klytos_sanitize_url(string $url): string // Strip control chars, reject dangerous protocols
klytos_sanitize_filename(string $name): string // basename, replace unsafe chars, fallback 'unnamed'
klytos_sanitize_key(string $key): string // Lowercase a-z0-9_- only
klytos_sanitize_title(string $title): string // Delegates to sanitizeSlug()
klytos_sanitize_html(string $html): string // Strip dangerous tags, remove event handlers
klytos_sanitize_int(mixed $value): int // Cast to safe int
klytos_sanitize_float(mixed $value): float // Cast to safe float
HTML Filtering (KSES)
klytos_kses — Custom Tag Allowlist
klytos_kses(string $html, array $allowedTags): string
$safe = klytos_kses($input, [
'a' => ['href' => true, 'title' => true],
'strong' => [],
'em' => [],
'p' => ['class' => true],
]);
klytos_kses_post — Page Content Allowlist
klytos_kses_post(string $html): string
Allowed (~40 tags): h1-h6, p, br, hr, a, img, ul, ol, li, table, thead, tbody, tr, th, td, strong, em, b, i, u, s, blockquote, pre, code, span, div, section, article, header, footer, nav, main, aside, figure, figcaption, video, audio, source, details, summary, mark, small, sub, sup, dl, dt, dd.
Excluded: script, style, iframe, form, object, embed, svg.
Extendable via kses_post_allowed_tags filter.
CSRF Protection
klytos_csrf_field(): string // Returns <input type="hidden" name="csrf" value="...">
klytos_verify_csrf(): bool // Checks POST['csrf'], X-CSRF-Token header, GET['csrf']
<form method="POST">
<?php echo klytos_csrf_field(); ?>
<button type="submit">Save</button>
</form>
// Processing:
if ($_SERVER['REQUEST_METHOD'] === 'POST' && klytos_verify_csrf()) {
// Safe to process
}
IMPORTANT: Every POST form in admin MUST include CSRF protection.
Validation Helpers
klytos_is_email(string $email): bool // filter_var(FILTER_VALIDATE_EMAIL)
klytos_is_url(string $url): bool // Valid http/https URL
Complete Example: Secure Form
<?php
if ($_SERVER['REQUEST_METHOD'] === 'POST' && klytos_verify_csrf()) {
$name = klytos_sanitize_text($_POST['name'] ?? '');
$email = klytos_sanitize_email($_POST['email'] ?? '');
$count = klytos_sanitize_int($_POST['count'] ?? 0);
if ($name === '') { $error = 'Name required'; }
elseif (!klytos_is_email($email)) { $error = 'Invalid email'; }
else {
klytos_set_option('my-plugin.name', $name);
klytos_set_option('my-plugin.email', $email);
$success = 'Saved';
}
}
$name = klytos_get_option('my-plugin.name', '');
?>
<form method="POST">
<?php echo klytos_csrf_field(); ?>
<input name="name" value="<?php echo klytos_esc_attr($name); ?>">
<button type="submit" class="btn btn-primary">Save</button>
</form>
Source Files
- Escape/sanitization:
core/helpers.php(lines 423-944) - Global wrappers:
core/helpers-global.php - KSES tags:
core/helpers.php(line 709) - CSRF:
core/helpers.php(lines 913-944)
Related Skills
joseconti/klytos-time
development
VerifiedTrustedCommunity
Guide for working with dates, times, and timezones in Klytos CMS. Use when formatting dates, converting timezones, scheduling actions with timestamps, displaying local time, working with UTC storage, building timezone selectors, or using any klytos_date/klytos_gmdate/klytos_timezone functions.
8SKILL.mdUpdated Apr 16, 2026
joseconti/klytos-terminal
tools
VerifiedTrustedCommunity
Guide for developing and extending the Klytos web terminal. Use when modifying terminal commands, adding terminal commands from plugins, fixing terminal bugs, extending the pseudo-terminal, working with TerminalExecutor class, registering custom permissions, adding custom category labels, or managing terminal UI and security.
8SKILL.mdUpdated Apr 16, 2026
joseconti/.claude/skills/klytos-site-builder
development
VerifiedTrustedCommunity
--- name: klytos-site-builder description: Guide for building a complete website from scratch with Klytos CMS. Use when creating a new site, configuring a site after installation, setting up design/content/SEO/navigation, or when the user pastes the post-install prompt. Covers 9 phases: discovery, design reference, global config, theme, content structure, templates, content creation, additional features, and launch. --- # Klytos Site Builder ## Overview The Site Builder is a conversational AI
8SKILL.mdUpdated Apr 16, 2026
joseconti/klytos-seo-content
development
VerifiedTrustedCommunity
Use when creating or editing page content in Klytos CMS. Ensures every page has proper SEO structure, HTML semantics, meta tags, structured data, accessibility for maximum search engine visibility. Apply when writing page titles, descriptions, content, headings, images, internal links, JSON-LD schema, or following the SEO checklist before publishing pages.
8SKILL.mdUpdated Apr 16, 2026