When do you use the h() function?

Hello, I am a little lost on the use of this function.

Do we absolutely have to escape everything that comes from our database on our view? Does the framework do it itself?

In the case of sending an email, is that also useful? Even in the subject field of the email?

I often have problems with accents (I’m French haha) or apostrophes


It’s important to escape every string that comes from a user input, and isn’t already sanitized. For example, if you have a “product number” field with validation that only allows A-Z and 0-9, it’s okay to skip that one. Then again, it’s harmless to add this to that field. Good practice is to use it on all fields unless you have a good reason not to.

ok thx ! Is there any way to automate this so you don’t forget anything?

The bake tool will use it, if you generate your views that way. Fully automating it can be problematic, because there are almost certainly going to be cases where it does actually break your functionality.