From 384b6a97613f15d66030d0040a466ec547d4d32b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Muhammet=20=C5=9Eafak?= <info@muhammetsafak.com.tr>
Date: Mon, 25 May 2026 08:43:50 +0300
Subject: [PATCH 1/4] Add support for Composer dist tarballs and implement CI
 workflow

---
 .gitattributes                                |  12 +-
 .github/workflows/ci.yml                      |  87 +++++
 .gitignore                                    |   5 +-
 README.md                                     | 258 ++++++-------
 composer.json                                 |  51 ++-
 docs/README.md                                |  33 ++
 docs/context-css.md                           |  59 +++
 docs/context-html-attribute.md                |  65 ++++
 docs/context-html.md                          |  48 +++
 docs/context-javascript.md                    |  64 +++
 docs/context-url.md                           |  74 ++++
 docs/encodings.md                             |  70 ++++
 docs/exceptions.md                            |  66 ++++
 docs/getting-started.md                       |  77 ++++
 docs/security-notes.md                        |  83 ++++
 phpunit.xml.dist                              |  13 +
 src/Esc.php                                   | 128 ++++--
 src/Escaper.php                               | 364 +++++++++++++-----
 src/Exception/EncodingConversionException.php |  13 +
 .../EncodingNotSupportedException.php         |  13 +
 src/Exception/EscaperException.php            |  17 +
 src/Exception/InvalidContextException.php     |  13 +
 src/Exception/InvalidUtf8Exception.php        |  13 +
 tests/EscTest.php                             | 152 ++++++++
 tests/EscaperCssTest.php                      |  66 ++++
 tests/EscaperEncodingTest.php                 |  76 ++++
 tests/EscaperHtmlAttrTest.php                 |  99 +++++
 tests/EscaperHtmlTest.php                     |  65 ++++
 tests/EscaperJsTest.php                       |  63 +++
 tests/EscaperUrlTest.php                      |  45 +++
 tests/ExceptionHierarchyTest.php              |  45 +++
 31 files changed, 1945 insertions(+), 292 deletions(-)
 create mode 100644 .github/workflows/ci.yml
 create mode 100644 docs/README.md
 create mode 100644 docs/context-css.md
 create mode 100644 docs/context-html-attribute.md
 create mode 100644 docs/context-html.md
 create mode 100644 docs/context-javascript.md
 create mode 100644 docs/context-url.md
 create mode 100644 docs/encodings.md
 create mode 100644 docs/exceptions.md
 create mode 100644 docs/getting-started.md
 create mode 100644 docs/security-notes.md
 create mode 100644 phpunit.xml.dist
 create mode 100644 src/Exception/EncodingConversionException.php
 create mode 100644 src/Exception/EncodingNotSupportedException.php
 create mode 100644 src/Exception/EscaperException.php
 create mode 100644 src/Exception/InvalidContextException.php
 create mode 100644 src/Exception/InvalidUtf8Exception.php
 create mode 100644 tests/EscTest.php
 create mode 100644 tests/EscaperCssTest.php
 create mode 100644 tests/EscaperEncodingTest.php
 create mode 100644 tests/EscaperHtmlAttrTest.php
 create mode 100644 tests/EscaperHtmlTest.php
 create mode 100644 tests/EscaperJsTest.php
 create mode 100644 tests/EscaperUrlTest.php
 create mode 100644 tests/ExceptionHierarchyTest.php

diff --git a/.gitattributes b/.gitattributes
index 6e5411e..44fa4dc 100644
--- a/.gitattributes
+++ b/.gitattributes
@@ -1,3 +1,9 @@
-.gitignore      export-ignore
-.gitattributes  export-ignore
-/Examples       export-ignore
\ No newline at end of file
+# Exclude from Composer dist tarballs.
+/.github           export-ignore
+/.gitattributes    export-ignore
+/.gitignore        export-ignore
+/.phpunit.cache    export-ignore
+/Examples          export-ignore
+/docs              export-ignore
+/tests             export-ignore
+/phpunit.xml.dist  export-ignore
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
new file mode 100644
index 0000000..66354ae
--- /dev/null
+++ b/.github/workflows/ci.yml
@@ -0,0 +1,87 @@
+name: CI
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+
+jobs:
+  validate:
+    name: composer validate
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: shivammathur/setup-php@v2
+        with:
+          php-version: "8.2"
+          coverage: none
+          tools: composer:v2
+      - run: composer validate --strict
+
+  tests:
+    name: PHPUnit (PHP ${{ matrix.php }})
+    runs-on: ubuntu-latest
+    needs: validate
+    strategy:
+      fail-fast: false
+      matrix:
+        php: ["7.4", "8.0", "8.1", "8.2", "8.3", "8.4"]
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up PHP ${{ matrix.php }}
+        uses: shivammathur/setup-php@v2
+        with:
+          php-version: ${{ matrix.php }}
+          extensions: ctype, mbstring, iconv
+          coverage: none
+          tools: composer:v2
+
+      - name: Validate composer.json
+        run: composer validate --no-check-publish
+
+      - name: Get composer cache directory
+        id: composer-cache
+        run: echo "dir=$(composer config cache-files-dir)" >> "$GITHUB_OUTPUT"
+
+      - name: Cache composer dependencies
+        uses: actions/cache@v4
+        with:
+          path: ${{ steps.composer-cache.outputs.dir }}
+          key: composer-${{ matrix.php }}-${{ hashFiles('**/composer.json') }}
+          restore-keys: composer-${{ matrix.php }}-
+
+      - name: Install dependencies
+        run: composer update --prefer-dist --no-progress --no-interaction
+
+      - name: Run PHPUnit
+        run: vendor/bin/phpunit
+
+  coverage:
+    name: Coverage
+    runs-on: ubuntu-latest
+    needs: tests
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up PHP
+        uses: shivammathur/setup-php@v2
+        with:
+          php-version: "8.2"
+          extensions: ctype, mbstring, iconv
+          coverage: pcov
+          tools: composer:v2
+
+      - name: Install dependencies
+        run: composer install --prefer-dist --no-progress --no-interaction
+
+      - name: Run PHPUnit with coverage
+        run: vendor/bin/phpunit --coverage-clover=coverage.xml
+
+      - name: Upload coverage artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: coverage-clover
+          path: coverage.xml
+          retention-days: 14
diff --git a/.gitignore b/.gitignore
index 0abe7ad..359db29 100644
--- a/.gitignore
+++ b/.gitignore
@@ -2,4 +2,7 @@
 /.vscode/
 /.vs/
 /vendor/
-/composer.lock
\ No newline at end of file
+/composer.lock
+/build/
+/.phpunit.cache/
+/.phpunit.result.cache
diff --git a/README.md b/README.md
index 5c8e332..062595a 100644
--- a/README.md
+++ b/README.md
@@ -1,180 +1,146 @@
-# InitPHP Escaper
+# initphp/escaper
 
-Securely and safely escape HTML, HTML attributes, JavaScript, CSS, and URLs.
+Context-aware output escaper for PHP. Safely render untrusted user input inside
+HTML, HTML attributes, JavaScript, CSS and URLs.
 
-[![Latest Stable Version](http://poser.pugx.org/initphp/escaper/v)](https://packagist.org/packages/initphp/escaper) [![Total Downloads](http://poser.pugx.org/initphp/escaper/downloads)](https://packagist.org/packages/initphp/escaper) [![Latest Unstable Version](http://poser.pugx.org/initphp/escaper/v/unstable)](https://packagist.org/packages/initphp/escaper) [![License](http://poser.pugx.org/initphp/escaper/license)](https://packagist.org/packages/initphp/escaper) [![PHP Version Require](http://poser.pugx.org/initphp/escaper/require/php)](https://packagist.org/packages/initphp/escaper)
+[![Latest Stable Version](https://poser.pugx.org/initphp/escaper/v)](https://packagist.org/packages/initphp/escaper)
+[![PHP Version Require](https://poser.pugx.org/initphp/escaper/require/php)](https://packagist.org/packages/initphp/escaper)
+[![CI](https://github.com/InitPHP/Escaper/actions/workflows/ci.yml/badge.svg)](https://github.com/InitPHP/Escaper/actions/workflows/ci.yml)
+[![License](https://poser.pugx.org/initphp/escaper/license)](https://packagist.org/packages/initphp/escaper)
+[![Total Downloads](https://poser.pugx.org/initphp/escaper/downloads)](https://packagist.org/packages/initphp/escaper)
 
-## Requirements
+`htmlspecialchars()` is not enough on its own. Each output context — an HTML
+body, an attribute, a JavaScript string literal, a CSS value, a URL parameter
+— needs its own escaping rules, and using the wrong one can leave you exposed
+to XSS even when you *think* you have escaped your data.
 
-- PHP 7.4 or higher
-- PHP _CType_ Extension
-- PHP _MB_String_ or _Iconv_ Extension
+`initphp/escaper` implements the rules from the
+[OWASP XSS Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html)
+for the five most common contexts, behind a small, dependency-free API.
 
 ## Installation
 
-```php 
+```bash
 composer require initphp/escaper
 ```
 
-## Usage
+### Requirements
 
-`\InitPHP\Escaper\Esc::esc()` : 
+- PHP 7.4 or newer
+- `ext-ctype`
+- `ext-mbstring` (required); `ext-iconv` is used when present and preferred
+  over mbstring
 
-```php 
-public static function esc(string[]|string $data, string $context = 'html', ?string $encoding = null): array|string;
-```
+## Quick start
+
+```php
+use InitPHP\Escaper\Esc;
+
+echo Esc::esc('<script>alert(1)</script>');
+// &lt;script&gt;alert(1)&lt;/script&gt;
+
+echo Esc::esc('faketitle onmouseover=alert(1);', 'attr');
+// faketitle&#x20;onmouseover&#x3D;alert&#x28;1&#x29;&#x3B;
 
-- `$data` : The content to be cleared.
-- `$context` : The method to be used for cleaning. If the value is not one of the following; Throws `Exception`.
-  - `html` 
-  - `js` 
-  - `css` 
-  - `url` 
-  - `attr`
-- `$encoding` : If the character set to be used is not specified or `NULL`; `UTF-8` is used by default.
-
-`html` Escaper Example :
-```php 
-<?php
-require_once "vendor/autoload.php";
-use \InitPHP\Escaper\Esc;
-
-$input = '<script>alert("initphp")</script>';
-?>
-<!DOCTYPE html>
-<html>
-<head>
-    <title>Encodings set correctly!</title>
-    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
-</head>
-<body>
-
-<?php
-echo Esc::esc($input, 'html');
-?>
-</body></html>
+echo Esc::esc('"; alert(1); var x="', 'js');
+// \x22\x3B\x20alert\x281\x29\x3B\x20var\x20x\x3D\x22
+
+echo Esc::esc('</style><script>alert(1)</script>', 'css');
+// \3C \2F style\3E \3C script\3E alert\28 1\29 \3C \2F script\3E
+
+echo Esc::esc('" onmouseover="alert(1)', 'url');
+// %22%20onmouseover%3D%22alert%281%29
 ```
 
-`attr` Escaper Example :
+`Esc::esc()` also accepts arrays and recurses into them, so escaping a whole
+request payload at the view boundary is a one-liner:
 
 ```php
-<?php
-require_once "../vendor/autoload.php";
-use \InitPHP\Escaper\Esc;
-
-$input = 'faketitle onmouseover=alert(/InitPHP!/);';
-?>
-<!DOCTYPE html>
-<html>
-<head>
-    <title>Quoteless Attribute</title>
-    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
-</head>
-<body>
-<div>
-    <?php
-    // <span title=faketitle&#x20;onmouseover&#x3D;alert&#x28;&#x2F;InitPHP&#x21;&#x2F;&#x29;&#x3B;>
-    ?>
-    <span title=<?php echo Esc::esc($input, 'attr'); ?>>
-            Hello World
-    </span>
-</div>
-</body>
-</html>
+$safe = Esc::esc($_GET, 'html');
 ```
 
-`Js` Escaper Example :
+## API
 
-```php
-<?php
-require_once "../vendor/autoload.php";
-use InitPHP\Escaper\Esc;
+### `Esc::esc()`
 
-$input = 'bar&quot;; alert(&quot;Hello!&quot;); var xss=&quot;true';
-?>
-<!DOCTYPE html>
-<html xmlns="http://www.w3.org/1999/xhtml">
-<head>
-    <title>Escaped Entities</title>
-    <meta charset="UTF-8"/>
-    <script type="text/javascript">
-        <?php
-        /**
-         * var foo = bar\x26quot\x3B\x3B\x20alert\x28\x26quot\x3BHello\x21\x26quot\x3B\x29\x3B\x20var\x20xss\x3D\x26quot\x3Btrue;
-         */
-        ?>
-        var foo = <?php echo Esc::esc($input, 'js'); ?>;
-    </script>
-</head>
-<body>
-<p>Hello World</p>
-</body>
-</html>
+```php
+public static function esc(
+    array|string $data,
+    string $context = 'html',
+    ?string $encoding = null
+): array|string;
 ```
 
-`css` Escaper Example :
+| Argument    | Description                                                                 |
+| ----------- | --------------------------------------------------------------------------- |
+| `$data`     | A string, or an array (which is escaped recursively).                       |
+| `$context`  | `html`, `attr`, `js`, `css`, `url`, or `raw` (returns input unchanged).     |
+| `$encoding` | Output encoding. `null` resolves to UTF-8. See [Encodings](docs/encodings.md). |
+
+Throws `InitPHP\Escaper\Exception\InvalidContextException` for unknown contexts.
+
+### `Escaper`
+
+For lower-level use, instantiate `Escaper` directly. Each instance is bound to
+one encoding and exposes one method per context:
 
 ```php
-<?php
-require_once "../vendor/autoload.php";
-use \InitPHP\Escaper\Esc;
-
-$input = <<<INPUT
-body {
-    background-image: url('http://example.com/bar.jpg?</style><script>alert(13)</script>');
-}
-INPUT;
-?>
-<!DOCTYPE html>
-<html xmlns="http://www.w3.org/1999/xhtml">
-<head>
-    <title>Escaped CSS</title>
-    <meta charset="UTF-8"/>
-    <style>
-        <?php
-        /**
-        * body\20 \7B \D \A \20 \20 \20 \20 background\2D image\3A \20 url\28 \27 http\3A \2F \2F example\2E com\2F bar\2E jpg\3F \3C \2F style\3E \3C script\3E alert\28 13\29 \3C \2F script\3E \27 \29 \3B \D \A \7D
-        */
-        echo Esc::esc($input, 'css');
-        ?>
-    </style>
-</head>
-<body>
-<p>User controlled CSS needs to be properly escaped!</p>
-</body>
-</html>
+use InitPHP\Escaper\Escaper;
+
+$escaper = new Escaper();          // utf-8
+$escaper = new Escaper('windows-1252');
+
+$escaper->escHtml($string);
+$escaper->escHtmlAttr($string);
+$escaper->escJs($string);
+$escaper->escCss($string);
+$escaper->escUrl($string);
 ```
 
-`url` Escaper Example : 
+## Documentation
 
-```php
-<?php
-require_once "../vendor/autoload.php";
-use \InitPHP\Escaper\Esc;
-
-$query = <<<QUERY
-" onmouseover="alert('hello')
-QUERY;
-?>
-<!DOCTYPE html>
-<html xmlns="http://www.w3.org/1999/xhtml">
-<head>
-    <title>Unescaped URL</title>
-    <meta charset="UTF-8"/>
-</head>
-<body>
-<?php
-// http://example.com/?query=%22%20onmouseover%3D%22alert%28%27hello%27%29
-?>
-<a href="http://example.com/?query=<?php echo Esc::esc($query, 'url'); ?>">Click</a>
-</body>
-</html>
+The [`docs/`](docs/) directory contains a per-context walkthrough with
+examples, do-and-don't guidance and security notes:
+
+- [Getting started](docs/getting-started.md)
+- [HTML body context](docs/context-html.md)
+- [HTML attribute context](docs/context-html-attribute.md)
+- [JavaScript context](docs/context-javascript.md)
+- [CSS context](docs/context-css.md)
+- [URL context](docs/context-url.md)
+- [Encodings](docs/encodings.md)
+- [Exceptions](docs/exceptions.md)
+- [Security notes](docs/security-notes.md)
+
+## A word of warning
+
+> Output escaping prevents XSS but it is not a substitute for input validation,
+> authentication, or authorisation. It is also context-sensitive: the
+> JavaScript escaper assumes the caller wraps the result in quotes, the HTML
+> attribute escaper assumes the value is used as a single attribute value, and
+> so on. Read the per-context docs before mixing contexts.
+
+## Contributing
+
+Contributions are welcome. Please read the
+[org-wide CONTRIBUTING guide](https://github.com/InitPHP/.github/blob/main/CONTRIBUTING.md)
+for the workflow, coding standards and test expectations.
+
+A typical loop is:
+
+```bash
+git clone https://github.com/InitPHP/Escaper.git
+cd Escaper
+composer install
+composer test
 ```
 
-## Credits
+## Security
 
-- [Muhammet ŞAFAK](https://www.muhammetsafak.com.tr) <<info@muhammetsafak.com.tr>>
+If you discover a security issue, please follow the disclosure process
+documented in [SECURITY.md](https://github.com/InitPHP/.github/blob/main/SECURITY.md)
+rather than opening a public issue.
 
 ## License
 
-Copyright &copy; 2022 [MIT License](./LICENSE)
+Released under the [MIT License](./LICENSE). © InitPHP.
diff --git a/composer.json b/composer.json
index ad53f95..ef46f80 100644
--- a/composer.json
+++ b/composer.json
@@ -1,13 +1,20 @@
 {
     "name": "initphp/escaper",
-    "description": "InitPHP Escaper Class",
+    "description": "Context-aware output escaper (HTML, attribute, JavaScript, CSS, URL) for safely rendering untrusted user input.",
     "type": "library",
     "license": "MIT",
-    "autoload": {
-        "psr-4": {
-            "InitPHP\\Escaper\\": "src/"
-        }
-    },
+    "keywords": [
+        "escaper",
+        "escape",
+        "xss",
+        "security",
+        "html",
+        "javascript",
+        "css",
+        "url",
+        "output-encoding",
+        "owasp"
+    ],
     "authors": [
         {
             "name": "Muhammet ŞAFAK",
@@ -16,9 +23,35 @@
             "homepage": "https://www.muhammetsafak.com.tr"
         }
     ],
-    "minimum-stability": "stable",
+    "support": {
+        "issues": "https://github.com/InitPHP/Escaper/issues",
+        "source": "https://github.com/InitPHP/Escaper",
+        "docs": "https://github.com/InitPHP/Escaper/tree/main/docs"
+    },
     "require": {
         "php": ">=7.4",
-        "ext-ctype": "*"
-    }
+        "ext-ctype": "*",
+        "ext-mbstring": "*"
+    },
+    "require-dev": {
+        "phpunit/phpunit": "^9.6 || ^10.5 || ^11.5"
+    },
+    "suggest": {
+        "ext-iconv": "Preferred for encoding conversion; iconv is tried before mbstring."
+    },
+    "autoload": {
+        "psr-4": {
+            "InitPHP\\Escaper\\": "src/"
+        }
+    },
+    "autoload-dev": {
+        "psr-4": {
+            "InitPHP\\Escaper\\Tests\\": "tests/"
+        }
+    },
+    "scripts": {
+        "test": "phpunit",
+        "test-coverage": "phpunit --coverage-html build/coverage"
+    },
+    "minimum-stability": "stable"
 }
diff --git a/docs/README.md b/docs/README.md
new file mode 100644
index 0000000..3167a53
--- /dev/null
+++ b/docs/README.md
@@ -0,0 +1,33 @@
+# initphp/escaper — Documentation
+
+This directory is the developer reference for `initphp/escaper`. The
+top-level [README](../README.md) is intentionally short; everything in
+depth lives here.
+
+## Index
+
+1. [Getting started](getting-started.md) — install, first call, the `Esc`
+   facade vs. instantiating `Escaper`.
+2. **Per-context guides** — one file per output context, with the rules
+   the escaper applies, the threats it defeats, and runnable examples:
+   - [HTML body context](context-html.md) (`escHtml`)
+   - [HTML attribute context](context-html-attribute.md) (`escHtmlAttr`)
+   - [JavaScript context](context-javascript.md) (`escJs`)
+   - [CSS context](context-css.md) (`escCss`)
+   - [URL context](context-url.md) (`escUrl`)
+3. [Encodings](encodings.md) — non-UTF-8 input/output, the supported list
+   and how conversion is performed.
+4. [Exceptions](exceptions.md) — the exception tree and when each one
+   is thrown.
+5. [Security notes](security-notes.md) — caveats, common misuses, and
+   pointers to authoritative sources.
+
+## Conventions used in these docs
+
+- Code samples assume the autoloader has already been required.
+- Output shown in `// comments` is the literal string the escaper
+  returns. Each sample was generated by running the escaper itself, not
+  hand-written.
+- "Untrusted" means any data that has touched the network, the
+  filesystem, a database, or anything else outside your PHP process —
+  in other words, "almost everything".
diff --git a/docs/context-css.md b/docs/context-css.md
new file mode 100644
index 0000000..ba47c91
--- /dev/null
+++ b/docs/context-css.md
@@ -0,0 +1,59 @@
+# CSS context (`escCss`)
+
+> Use when the value lands inside a CSS property value:
+> `color: HERE;`, `background-image: url(HERE);`, `<style>div { color: HERE; }</style>`.
+
+## What it does
+
+`escCss` whitelists `[A-Za-z0-9]`. Every other character is rewritten as
+the CSS escape sequence `\HEX `, with the **mandatory trailing space**
+that terminates the escape.
+
+The trailing space looks redundant when followed by another character,
+but CSS uses it as a delimiter — without it, the parser would eat
+hex-digit-looking characters that follow the escape. Always emit it.
+
+## Example — preventing a `</style>` breakout
+
+```php
+use InitPHP\Escaper\Esc;
+
+$untrusted = '</style><script>alert(1)</script>';
+
+echo Esc::esc($untrusted, 'css');
+// \3C \2F style\3E \3C script\3E alert\28 1\29 \3C \2F script\3E
+```
+
+The `<`, `>`, `/`, `(`, `)`, and spaces all turn into CSS escapes, so
+the attacker cannot close the `<style>` block and inject a script.
+
+## Multibyte characters
+
+```php
+echo Esc::esc('ş', 'css');
+// \15F 
+
+echo Esc::esc('🚀', 'css');
+// \1F680 
+```
+
+Both come out as single CSS escape sequences regardless of how many
+UTF-8 bytes they used in the input.
+
+## When **not** to use it
+
+- **CSS selectors built from user input** — `escCss` is for property
+  *values*. Building a selector from untrusted data is dangerous even
+  with escaping, because selectors can themselves trigger script in
+  some legacy contexts (`expression()`, etc.). Don't.
+- **CSS `url()` arguments that hold a real URL** — escape the URL with
+  [`escUrl`](context-url.md) first; the result is then already safe to
+  drop inside CSS as a plain string.
+- **Inline `style` attribute** — the attribute value first needs to be
+  HTML-attribute-safe, and the CSS inside it needs to be CSS-safe.
+  Apply `escCss` to the property value, and rely on the attribute
+  quoting that the templating engine adds.
+
+## Empty / digit-only inputs
+
+Returned untouched, as in the other contexts.
diff --git a/docs/context-html-attribute.md b/docs/context-html-attribute.md
new file mode 100644
index 0000000..3060c4d
--- /dev/null
+++ b/docs/context-html-attribute.md
@@ -0,0 +1,65 @@
+# HTML attribute context (`escHtmlAttr`)
+
+> Use when the value lands inside an HTML attribute:
+> `<span title="HERE">`, `<a href="HERE">`, `<input value=HERE>`.
+
+## What it does
+
+`escHtmlAttr` is strict: anything outside `[A-Za-z0-9,.\-_]` is
+rewritten as an HTML entity. That whitelist is small enough to be safe
+in **quoted, single-quoted and unquoted** attribute values.
+
+- A handful of code points use named entities (`&quot;`, `&amp;`,
+  `&lt;`, `&gt;`) when they have one.
+- Everything else uses numeric character references (`&#xHH;` or
+  `&#xHHHH;`).
+- `U+0000`–`U+001F` (except tab, LF, CR) and `U+007F`–`U+009F` are
+  replaced with `U+FFFD` because they cannot appear inside an HTML
+  document.
+
+## Example — defeating an unquoted-attribute injection
+
+```php
+use InitPHP\Escaper\Esc;
+
+$untrusted = 'faketitle onmouseover=alert(1);';
+
+echo '<span title=' . Esc::esc($untrusted, 'attr') . '>hello</span>';
+// <span title=faketitle&#x20;onmouseover&#x3D;alert&#x28;1&#x29;&#x3B;>hello</span>
+```
+
+The space, `=`, parentheses and semicolon all become entity references,
+so the browser sees one attribute value rather than the attacker's
+extra `onmouseover` handler.
+
+## Examples — multibyte and Unicode
+
+```php
+echo Esc::esc('ş', 'attr');
+// &#x015F;
+
+echo Esc::esc('🚀', 'attr');
+// &#x1F680;
+```
+
+## When **not** to use it
+
+- **URL attributes** (`href`, `src`, `action`) — `escHtmlAttr` only
+  protects the attribute *delimiters*. Run the URL through
+  [`escUrl`](context-url.md) first.
+- **Event handlers** (`onclick`, `onfocus`, …) — those are JavaScript
+  contexts, not HTML attribute contexts. Apply
+  [`escJs`](context-javascript.md) to the JS code, then `escHtmlAttr`
+  the result if it sits inside an `on*=…` attribute.
+- **`style` attribute** — that is a CSS context. Use
+  [`escCss`](context-css.md) inside `style="..."`.
+
+## Empty / digit-only inputs
+
+The escaper short-circuits when the input is empty or contains nothing
+but ASCII digits — those values are already attribute-safe:
+
+```php
+Esc::esc('', 'attr');     // ''
+Esc::esc('12345', 'attr'); // '12345'
+```
diff --git a/docs/context-html.md b/docs/context-html.md
new file mode 100644
index 0000000..fe59ae2
--- /dev/null
+++ b/docs/context-html.md
@@ -0,0 +1,48 @@
+# HTML body context (`escHtml`)
+
+> Use when the value lands between HTML tags:
+> `<p>HERE</p>`, `<div>HERE</div>`, `<li>HERE</li>`.
+
+## What it does
+
+`escHtml` is a thin wrapper around `htmlspecialchars()` configured with
+`ENT_QUOTES | ENT_SUBSTITUTE`:
+
+- `ENT_QUOTES` escapes both single and double quotes, so the same
+  output is safe inside an attribute should it ever be moved.
+- `ENT_SUBSTITUTE` replaces malformed UTF-8 with `U+FFFD` instead of
+  returning an empty string — failing safe, not silently.
+
+## Example
+
+```php
+use InitPHP\Escaper\Esc;
+
+echo Esc::esc('<script>alert("xss")</script>');
+// &lt;script&gt;alert(&quot;xss&quot;)&lt;/script&gt;
+
+echo Esc::esc("Tom & Jerry's adventure");
+// Tom &amp; Jerry&#039;s adventure
+```
+
+The escaper does not touch characters that are already safe in the HTML
+body context — letters, digits, accented characters, emoji, all pass
+through:
+
+```php
+echo Esc::esc('Merhaba dünya 🚀');
+// Merhaba dünya 🚀
+```
+
+## When **not** to use it
+
+- **Attribute values** — `escHtml` is safe enough for quoted attributes
+  but loses to unquoted attributes (a space ends the value). Use
+  [`escHtmlAttr`](context-html-attribute.md) instead.
+- **`<script>` blocks** — HTML entities are not decoded inside a
+  script. Use [`escJs`](context-javascript.md).
+- **`<style>` blocks** — same problem. Use
+  [`escCss`](context-css.md).
+- **URLs in `href` / `src`** — escape the URL with
+  [`escUrl`](context-url.md) first, then put the escaped URL through
+  `escHtml` if needed.
diff --git a/docs/context-javascript.md b/docs/context-javascript.md
new file mode 100644
index 0000000..05dd985
--- /dev/null
+++ b/docs/context-javascript.md
@@ -0,0 +1,64 @@
+# JavaScript context (`escJs`)
+
+> Use when the value lands inside a JavaScript string literal:
+> `var foo = "HERE";`, `<script>var foo = 'HERE';</script>`.
+
+## What it does
+
+`escJs` whitelists `[A-Za-z0-9,._]`. Every other character is rewritten
+as a JavaScript escape sequence:
+
+- Single-byte characters → `\xNN`.
+- BMP multibyte characters → `\uNNNN`.
+- Characters above the BMP (e.g. emoji) → a UTF-16 surrogate pair
+  `\uHHHH\uHHHH`.
+
+Both single-byte and multibyte cases output upper-case hex.
+
+## Important — the caller adds the quotes
+
+`escJs` produces a *fragment* that is safe **inside** a string literal.
+It does **not** add the surrounding quotes. The standard usage is:
+
+```php
+use InitPHP\Escaper\Esc; ?>
+
+<script>
+    var greeting = "<?= Esc::esc($value, 'js') ?>";
+</script>
+```
+
+Forgetting the quotes will produce invalid JavaScript, not a security
+issue — but it is the single most common mistake with JS escapers.
+
+## Examples
+
+```php
+use InitPHP\Escaper\Esc;
+
+echo Esc::esc('"; alert(1); var x="', 'js');
+// \x22\x3B\x20alert\x281\x29\x3B\x20var\x20x\x3D\x22
+
+echo Esc::esc('ş', 'js');
+// \u015F
+
+echo Esc::esc('🚀', 'js');
+// \uD83D\uDE80
+```
+
+## When **not** to use it
+
+- **JSON output** — use `json_encode($value, JSON_UNESCAPED_UNICODE |
+  JSON_HEX_TAG | JSON_HEX_AMP | JSON_HEX_APOS | JSON_HEX_QUOT)`
+  instead. JSON is its own well-defined serialisation; `escJs` is for
+  inline embedding inside a string literal.
+- **JavaScript identifiers, keywords or object keys** — `escJs` is
+  designed for **values**, not code. Do not paste user input into a
+  variable name or a property accessor.
+- **`<script type="application/json">` blocks** — those are JSON, not
+  inline JavaScript; the JSON rules above apply.
+
+## Empty / digit-only inputs
+
+Like the other contexts, empty strings and ASCII-digit-only strings are
+returned untouched.
diff --git a/docs/context-url.md b/docs/context-url.md
new file mode 100644
index 0000000..ad351dc
--- /dev/null
+++ b/docs/context-url.md
@@ -0,0 +1,74 @@
+# URL context (`escUrl`)
+
+> Use when the value lands inside a URL component — most often a query
+> string parameter:
+> `<a href="/search?q=HERE">`, `https://example.com/?name=HERE`.
+
+## What it does
+
+`escUrl` is a thin wrapper around PHP's `rawurlencode()`. The output
+follows RFC 3986: every character outside `A-Z a-z 0-9 - _ . ~` is
+percent-encoded.
+
+Unlike `urlencode()`, the result encodes a literal space as `%20`,
+which is correct in URL **paths and query values** and in the
+`application/x-www-form-urlencoded` payload.
+
+## Example
+
+```php
+use InitPHP\Escaper\Esc;
+
+$untrusted = '" onmouseover="alert(1)';
+
+echo Esc::esc($untrusted, 'url');
+// %22%20onmouseover%3D%22alert%281%29
+```
+
+```php
+echo Esc::esc('foo bar', 'url');
+// foo%20bar
+
+echo Esc::esc('Hello.world-1_2~3', 'url');
+// Hello.world-1_2~3
+```
+
+## What it does **not** do
+
+`escUrl` encodes a single URL **component**, not a whole URL. Do not
+pass an entire URL through it — every `:`, `/`, `?` and `&` would be
+escaped and the result would be a useless string.
+
+The correct pattern is:
+
+```php
+$base  = 'https://example.com/search';
+$query = http_build_query([
+    'q'    => $userQuery,   // http_build_query already encodes
+    'sort' => $userSort,
+]);
+
+echo '<a href="' . Esc::esc($base . '?' . $query, 'attr') . '">link</a>';
+```
+
+For one-off cases where you build the query string by hand:
+
+```php
+echo '<a href="https://example.com/?q=' . Esc::esc($userQuery, 'url') . '">link</a>';
+```
+
+## When **not** to use it
+
+- **Schemes** — never let untrusted data choose the URL scheme
+  (`javascript:`, `data:`, `vbscript:` etc. can run code). If your
+  application accepts a user-supplied URL, validate the scheme against
+  a whitelist (`https`, `http`, `mailto`, …) *before* you escape.
+- **Whole URLs** — see above.
+- **URL fragments containing `+`** — `escUrl` produces `%20` for a
+  space, which is correct in modern URL parsing. Some legacy systems
+  expect `+` instead; in that case use `urlencode()` directly.
+
+## Empty / digit-only inputs
+
+`rawurlencode()` returns an empty string for an empty input and leaves
+digit-only inputs untouched, so the wrapper is a no-op for those.
diff --git a/docs/encodings.md b/docs/encodings.md
new file mode 100644
index 0000000..d3dd7e3
--- /dev/null
+++ b/docs/encodings.md
@@ -0,0 +1,70 @@
+# Encodings
+
+The escaper works internally in UTF-8 but can read and write a fixed
+list of legacy single-byte and double-byte encodings.
+
+## Default
+
+`new Escaper()` (or any `Esc::esc()` call without an `$encoding`
+argument) operates in UTF-8 end to end. No conversion is performed and
+no extra extension is needed beyond `ext-ctype` and `ext-mbstring`.
+
+## Supported encodings
+
+The constructor lower-cases the requested encoding and checks it
+against a whitelist:
+
+```
+iso-8859-1     iso8859-1
+iso-8859-5     iso8859-5
+iso-8859-15    iso8859-15
+utf-8
+cp866          ibm866          866
+cp1251         windows-1251    win-1251    1251
+cp1252         windows-1252    1252
+koi8-r         koi8-ru         koi8r
+big5           950
+gb2312         936
+big5-hkscs
+shift_jis      sjis            sjis-win    cp932    932
+euc-jp         eucjp           eucjp-win
+macroman
+```
+
+Anything outside this list raises `EncodingNotSupportedException`.
+
+## How conversion works
+
+When the configured encoding is not UTF-8:
+
+1. The input string is converted to UTF-8 before the per-context
+   matcher runs.
+2. The converted string is validated — if it is not well-formed UTF-8,
+   `InvalidUtf8Exception` is raised.
+3. The escaped result is converted back to the configured encoding
+   before it is returned.
+
+The conversion itself uses `iconv()` when the extension is loaded, and
+falls back to `mb_convert_encoding()` otherwise. If neither is
+available the call raises `EncodingConversionException`. A failure
+inside `iconv`/`mbstring` also raises `EncodingConversionException`
+rather than silently returning an empty string.
+
+## Example
+
+```php
+use InitPHP\Escaper\Escaper;
+
+$escaper = new Escaper('iso-8859-1');
+
+// Input is ISO-8859-1: 0xE9 is "é".
+$output = $escaper->escHtml("\xE9");
+// 0xE9 — htmlspecialchars left it alone, and the output stayed in ISO-8859-1.
+```
+
+## Choosing an encoding
+
+Unless you have an external constraint (a legacy database, a fixed
+output transport), prefer UTF-8 everywhere — it is the only encoding
+where the escaper performs no conversion and no validation step can
+fail with an `InvalidUtf8Exception`.
diff --git a/docs/exceptions.md b/docs/exceptions.md
new file mode 100644
index 0000000..25251f6
--- /dev/null
+++ b/docs/exceptions.md
@@ -0,0 +1,66 @@
+# Exceptions
+
+Every exception thrown by the escaper extends a single base, so a
+single `catch` block can handle anything originating from this
+package.
+
+```
+\RuntimeException
+    └─ InitPHP\Escaper\Exception\EscaperException
+        ├─ EncodingNotSupportedException
+        ├─ EncodingConversionException
+        ├─ InvalidContextException
+        └─ InvalidUtf8Exception
+```
+
+## `EscaperException`
+
+The base. Catch this to handle any escaper failure without caring
+about the cause.
+
+```php
+use InitPHP\Escaper\Esc;
+use InitPHP\Escaper\Exception\EscaperException;
+
+try {
+    echo Esc::esc($value, 'attr', $encoding);
+} catch (EscaperException $e) {
+    // log and fall back
+}
+```
+
+## `EncodingNotSupportedException`
+
+Thrown from `new Escaper($encoding)` when `$encoding` is not part of
+the supported whitelist. Also surfaces from `Esc::esc()` the first
+time a new encoding is requested.
+
+```php
+new Escaper('utf-16');
+// EncodingNotSupportedException: Encoding "utf-16" is not supported.
+```
+
+## `EncodingConversionException`
+
+Thrown by `Escaper` when:
+
+- neither `ext-iconv` nor `ext-mbstring` is loaded, **or**
+- the underlying conversion call returns `false`.
+
+The previous (pre-2.x) behaviour silently substituted an empty string
+in this case, which could mask real failures. The exception now
+prevents that data loss.
+
+## `InvalidContextException`
+
+Thrown by `Esc::esc()` when `$context` is not one of `html`, `attr`,
+`js`, `css`, `url`, `raw` (case-insensitive). Empty string and `raw`
+are accepted and return the input unchanged.
+
+## `InvalidUtf8Exception`
+
+Thrown by the context escapers (`escHtmlAttr`, `escJs`, `escCss`)
+when the input is not — and cannot be converted to — well-formed
+UTF-8. `escHtml` does not raise this exception; it leans on
+`htmlspecialchars()` with `ENT_SUBSTITUTE`, which replaces malformed
+bytes with `U+FFFD` instead of failing.
diff --git a/docs/getting-started.md b/docs/getting-started.md
new file mode 100644
index 0000000..a9af4c8
--- /dev/null
+++ b/docs/getting-started.md
@@ -0,0 +1,77 @@
+# Getting started
+
+## Install
+
+```bash
+composer require initphp/escaper
+```
+
+The package needs PHP 7.4 or newer, plus `ext-ctype` and `ext-mbstring`.
+`ext-iconv` is optional but used in preference to mbstring when present.
+
+## The two entry points
+
+There are two ways to reach the escaper.
+
+### 1. The `Esc` static facade
+
+The fastest way to escape one value:
+
+```php
+use InitPHP\Escaper\Esc;
+
+$safe = Esc::esc($value, 'html');
+```
+
+`Esc::esc()` accepts a string or an array (recursed into), dispatches to
+the right method on a memoised `Escaper` instance, and returns the
+escaped value. Use it when you do not want to think about lifecycle.
+
+### 2. The `Escaper` object
+
+Useful when you want one instance bound to a specific encoding, or you
+want to inject the escaper into your view layer:
+
+```php
+use InitPHP\Escaper\Escaper;
+
+$escaper = new Escaper();           // UTF-8
+$escaper = new Escaper('windows-1252');
+
+$escaper->escHtml($string);
+$escaper->escHtmlAttr($string);
+$escaper->escJs($string);
+$escaper->escCss($string);
+$escaper->escUrl($string);
+```
+
+The two paths produce identical output for the same input/encoding —
+`Esc` is simply a thin wrapper.
+
+## Picking a context
+
+| Where does the value go? | Use            | Context name |
+| ------------------------ | -------------- | ------------ |
+| Between HTML tags        | `escHtml`      | `html`       |
+| Inside an HTML attribute | `escHtmlAttr`  | `attr`       |
+| Inside a JS string       | `escJs`        | `js`         |
+| Inside a CSS value       | `escCss`       | `css`        |
+| Inside a URL component   | `escUrl`       | `url`        |
+
+If you mix these up you can re-introduce XSS even after "escaping".
+Each per-context guide in this directory spells the rules out in detail.
+
+## Escaping a whole structure
+
+`Esc::esc()` recurses into arrays. Non-string, non-array values inside
+the array are returned untouched:
+
+```php
+$payload = ['title' => '<b>hi</b>', 'votes' => 42];
+
+Esc::esc($payload);
+// ['title' => '&lt;b&gt;hi&lt;/b&gt;', 'votes' => 42]
+```
+
+A top-level value that is neither a string nor an array is returned
+unchanged.
diff --git a/docs/security-notes.md b/docs/security-notes.md
new file mode 100644
index 0000000..8547361
--- /dev/null
+++ b/docs/security-notes.md
@@ -0,0 +1,83 @@
+# Security notes
+
+Output escaping is necessary but **not sufficient** for safe rendering.
+This page collects the things the per-context guides only hint at.
+
+## 1. Escape on output, not on input
+
+It is tempting to escape data once, at the boundary where it enters
+the system, and store the escaped form in the database. Do not do
+this:
+
+- The "escape" is context-dependent — HTML-escaping a value at input
+  time makes it wrong for JSON, CSV, JavaScript, plain-text email,
+  search indexing, …
+- Once stored as escaped text, you lose the original value and have to
+  un-escape it for every non-HTML use, which inevitably leaks an
+  unescaped path.
+
+Store the original bytes. Escape them at the place — and in the
+context — they are about to be rendered.
+
+## 2. Pick the right context
+
+`htmlspecialchars()` is **not** enough on its own. Each of the five
+contexts has different rules, and applying the wrong one can leave the
+output exploitable:
+
+| Output location           | Wrong escaper                    | What attacker can do |
+| ------------------------- | -------------------------------- | -------------------- |
+| Unquoted attribute        | `escHtml`                        | inject `onmouseover=…` via a space |
+| `<script>` body           | `escHtml`                        | HTML entities are not decoded in scripts; payload survives intact |
+| `<style>` body            | `escHtml`                        | same problem as `<script>` |
+| `href`/`src`              | `escHtml` only                   | `javascript:` scheme runs code |
+| Inline event handler      | `escHtmlAttr` only               | the attribute is safe but its JS contents are not |
+
+The matrix in [getting started](getting-started.md#picking-a-context)
+shows the right pairing for each location.
+
+## 3. URL scheme validation
+
+The URL escaper does not (and cannot) prevent `javascript:` or
+`data:` URLs from running. If the URL itself comes from user input,
+validate the scheme against a whitelist **before** escaping:
+
+```php
+$url = $userSuppliedUrl;
+$scheme = strtolower(parse_url($url, PHP_URL_SCHEME) ?? '');
+if (!in_array($scheme, ['http', 'https', 'mailto'], true)) {
+    $url = '#';
+}
+
+echo '<a href="' . Esc::esc($url, 'attr') . '">link</a>';
+```
+
+## 4. Content-Security-Policy is your seatbelt
+
+Even with perfect escaping, a CSP header narrows the blast radius of
+any escaping bug you may still have. A minimal, strict policy is a
+strong second line of defence; a permissive `unsafe-inline` policy
+undoes a lot of what escaping bought you. Treat them together, not as
+substitutes.
+
+## 5. Avoid building code from user input
+
+The escapers protect *values* embedded in a fixed code template. They
+do **not** protect against building executable code from user input —
+do not concatenate untrusted text into a JavaScript identifier, a CSS
+selector, a SQL fragment, a shell command, or a regular expression.
+Use placeholders / prepared APIs in each of those contexts.
+
+## 6. Authoritative references
+
+When in doubt about a specific edge case, defer to:
+
+- [OWASP XSS Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html)
+- [WHATWG HTML — § Restrictions on content models](https://html.spec.whatwg.org/multipage/syntax.html)
+- [RFC 3986 — Uniform Resource Identifier](https://www.rfc-editor.org/rfc/rfc3986)
+- [CSS Syntax Module Level 3 — § Escapes](https://drafts.csswg.org/css-syntax-3/#escape-diagram)
+
+If you discover an escaping bug in this package, please report it
+through the process in
+[SECURITY.md](https://github.com/InitPHP/.github/blob/main/SECURITY.md)
+rather than opening a public issue.
diff --git a/phpunit.xml.dist b/phpunit.xml.dist
new file mode 100644
index 0000000..fb01662
--- /dev/null
+++ b/phpunit.xml.dist
@@ -0,0 +1,13 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<phpunit xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="https://schema.phpunit.de/11.5/phpunit.xsd" bootstrap="vendor/autoload.php" colors="true" beStrictAboutOutputDuringTests="true" beStrictAboutTestsThatDoNotTestAnything="true" failOnWarning="true" failOnRisky="true" cacheDirectory=".phpunit.cache">
+  <testsuites>
+    <testsuite name="InitPHP Escaper Test Suite">
+      <directory>tests</directory>
+    </testsuite>
+  </testsuites>
+  <source>
+    <include>
+      <directory suffix=".php">src</directory>
+    </include>
+  </source>
+</phpunit>
diff --git a/src/Esc.php b/src/Esc.php
index 81bd4db..7dc0cb7 100644
--- a/src/Esc.php
+++ b/src/Esc.php
@@ -1,65 +1,123 @@
 <?php
+
 /**
- * Esc.php
+ * This file is part of the initphp/escaper package.
  *
- * This file is part of InitPHP.
+ * (c) InitPHP <info@muhammetsafak.com.tr>
  *
- * @author     Muhammet ŞAFAK <info@muhammetsafak.com.tr>
- * @copyright  Copyright © 2022 InitPHP
- * @license    http://initphp.github.io/license.txt  MIT
- * @version    1.0
- * @link       https://www.muhammetsafak.com.tr
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
  */
 
 declare(strict_types=1);
 
 namespace InitPHP\Escaper;
 
-use \Exception;
+use InitPHP\Escaper\Exception\InvalidContextException;
 
 use function is_array;
 use function is_string;
 use function strtolower;
-use function in_array;
-use function ucfirst;
 
+/**
+ * Thin static facade over {@see Escaper}.
+ *
+ * Accepts a string or an array (recursively) and dispatches to the
+ * appropriate {@see Escaper} method based on the requested context.
+ * Per-encoding {@see Escaper} instances are memoised across calls.
+ */
 class Esc
 {
+    /**
+     * Map of supported context names to the {@see Escaper} method that
+     * implements them. The `raw` context is handled inline and bypasses the
+     * escaper entirely.
+     *
+     * @var array<string, string>
+     */
+    private const CONTEXT_METHODS = [
+        'html' => 'escHtml',
+        'attr' => 'escHtmlAttr',
+        'js'   => 'escJs',
+        'css'  => 'escCss',
+        'url'  => 'escUrl',
+    ];
+
+    /**
+     * Memoised escaper instances, keyed by normalised encoding name.
+     *
+     * @var array<string, Escaper>
+     */
+    private static array $instances = [];
 
     /**
-     * @param array|string $data
-     * @param string $context <p> html, js, css, url, attr </p>
-     * @param string|null $encoding
-     * @return array|string
-     * @throws Exception
+     * Escape a string — or every string inside an array — for the given
+     * output context.
+     *
+     * Non-string scalars and objects inside an array are returned unchanged.
+     * For a top-level non-string, non-array value the input is returned as-is.
+     *
+     * @param array<array-key, mixed>|string $data     The value to escape.
+     * @param string                         $context  One of: html, attr, js, css, url, raw.
+     *                                                 Lookup is case-insensitive.
+     * @param string|null                    $encoding Output encoding; null uses UTF-8.
+     *
+     * @return array<array-key, mixed>|string
+     *
+     * @throws InvalidContextException When $context is not a recognised name.
      */
     public static function esc($data, string $context = 'html', ?string $encoding = null)
     {
-        if(is_array($data)){
+        if (is_array($data)) {
             foreach ($data as &$value) {
-                $value = self::esc($value, $context);
+                $value = self::esc($value, $context, $encoding);
             }
+            unset($value);
+
+            return $data;
         }
-        if(is_string($data)){
-            $context = strtolower($context);
-            if(empty($context) || $context === 'raw'){
-                return $data;
-            }
-            if(in_array($context, ['html', 'js', 'css', 'url', 'attr'], true) === FALSE){
-                throw new Exception('Invalid escape context provided.');
-            }
-            $method = $context === 'attr' ? 'escHtmlAttr' : 'esc' . ucfirst($context);
 
-            static $esc;
-            if(!$esc){
-                $esc = new \InitPHP\Escaper\Escaper($encoding);
-            }
-            if($esc && $esc->getEncoding() !== $encoding){
-                $esc = new \InitPHP\Escaper\Escaper($encoding);
-            }
-            $data = $esc->{$method}($data);
+        if (!is_string($data)) {
+            return $data;
+        }
+
+        $context = strtolower($context);
+        if ($context === '' || $context === 'raw') {
+            return $data;
         }
-        return $data;
+
+        if (!isset(self::CONTEXT_METHODS[$context])) {
+            throw new InvalidContextException(
+                sprintf('Invalid escape context "%s".', $context)
+            );
+        }
+
+        $method = self::CONTEXT_METHODS[$context];
+
+        return self::getEscaper($encoding)->{$method}($data);
+    }
+
+    /**
+     * Reset the memoised escaper cache. Intended for tests; clears every
+     * cached {@see Escaper} so the next {@see esc()} call rebuilds them.
+     */
+    public static function reset(): void
+    {
+        self::$instances = [];
     }
 
+    /**
+     * Return — and lazily create — the {@see Escaper} for the given encoding.
+     * Null is normalised to UTF-8 so all callers share a single instance.
+     */
+    private static function getEscaper(?string $encoding): Escaper
+    {
+        $key = $encoding === null || $encoding === '' ? 'utf-8' : strtolower($encoding);
+
+        if (!isset(self::$instances[$key])) {
+            self::$instances[$key] = new Escaper($encoding);
+        }
+
+        return self::$instances[$key];
+    }
 }
diff --git a/src/Escaper.php b/src/Escaper.php
index b648bc6..50b3a6f 100644
--- a/src/Escaper.php
+++ b/src/Escaper.php
@@ -1,61 +1,90 @@
 <?php
+
 /**
- * Escaper.php
+ * This file is part of the initphp/escaper package.
  *
- * This file is part of InitPHP.
+ * (c) InitPHP <info@muhammetsafak.com.tr>
  *
- * @author     Muhammet ŞAFAK <info@muhammetsafak.com.tr>
- * @copyright  Copyright © 2022 InitPHP
- * @license    http://initphp.github.io/license.txt  MIT
- * @version    1.0
- * @link       https://www.muhammetsafak.com.tr
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
  */
 
 declare(strict_types=1);
 
 namespace InitPHP\Escaper;
 
-use \Exception;
+use InitPHP\Escaper\Exception\EncodingConversionException;
+use InitPHP\Escaper\Exception\EncodingNotSupportedException;
+use InitPHP\Escaper\Exception\InvalidUtf8Exception;
 
-use function strtolower;
-use function in_array;
-use function htmlspecialchars;
+use function bin2hex;
 use function ctype_digit;
+use function function_exists;
+use function hexdec;
+use function htmlspecialchars;
+use function iconv;
+use function in_array;
+use function mb_convert_encoding;
+use function ord;
+use function preg_match;
 use function preg_replace_callback;
 use function rawurlencode;
-use function ord;
-use function strlen;
-use function bin2hex;
-use function hexdec;
 use function sprintf;
+use function strlen;
+use function strtolower;
 use function strtoupper;
 use function substr;
-use function preg_match;
-use function function_exists;
 
+use const ENT_QUOTES;
+use const ENT_SUBSTITUTE;
+
+/**
+ * Context-aware output escaper.
+ *
+ * Provides escape routines for the five untrusted-data contexts described in
+ * the OWASP XSS Prevention Cheat Sheet:
+ *
+ * - HTML body                  ({@see escHtml()})
+ * - HTML common attribute      ({@see escHtmlAttr()})
+ * - JavaScript string literal  ({@see escJs()})
+ * - CSS value                  ({@see escCss()})
+ * - URL parameter              ({@see escUrl()})
+ *
+ * All input must be — or be convertible to — valid UTF-8. The output is
+ * returned in the encoding that was configured at construction time
+ * (UTF-8 by default).
+ */
 class Escaper
 {
-    protected static array $htmlNamedEntityMap = [
-        34      => 'quot',
-        38      => 'amp',
-        60      => 'lt',
-        62      => 'gt',
+    /**
+     * Map of code points that have a shorter named HTML entity which we prefer
+     * over the numeric form when emitted from an attribute matcher.
+     *
+     * @var array<int, string>
+     */
+    private const HTML_NAMED_ENTITY_MAP = [
+        34 => 'quot',
+        38 => 'amp',
+        60 => 'lt',
+        62 => 'gt',
     ];
 
-    protected string $encoding = 'utf-8';
-
-    protected int $htmlSpecialCharsFlags;
-
-    /** @var callable */
-    protected $htmlAttrMatcher;
+    /**
+     * Flags passed to {@see htmlspecialchars()} in {@see escHtml()}.
+     *
+     * ENT_QUOTES escapes both single and double quotes; ENT_SUBSTITUTE
+     * replaces invalid byte sequences with U+FFFD rather than returning an
+     * empty string.
+     */
+    private const HTML_SPECIAL_CHARS_FLAGS = ENT_QUOTES | ENT_SUBSTITUTE;
 
-    /** @var callable */
-    protected $jsMatcher;
-
-    /** @var callable */
-    protected $cssMatcher;
-
-    protected array $supportedEncodings = [
+    /**
+     * Whitelist of encodings recognised by the constructor. Membership is
+     * tested after the input is lower-cased.
+     *
+     * @var list<string>
+     */
+    private const SUPPORTED_ENCODINGS = [
         'iso-8859-1',
         'iso8859-1',
         'iso-8859-5',
@@ -92,154 +121,293 @@ class Escaper
         'macroman',
     ];
 
+    /**
+     * The lower-cased output encoding used by {@see fromUtf8()} and reported
+     * by {@see getEncoding()}.
+     */
+    protected string $encoding = 'utf-8';
+
+    /**
+     * @param string|null $encoding Output encoding name. When null or empty,
+     *                              UTF-8 is used. Lookup is case-insensitive.
+     *
+     * @throws EncodingNotSupportedException When $encoding is not part of the
+     *                                       supported whitelist.
+     */
     public function __construct(?string $encoding = null)
     {
-        if($encoding !== null && $encoding !== ''){
+        if ($encoding !== null && $encoding !== '') {
             $encoding = strtolower($encoding);
-            if(!in_array($encoding, $this->supportedEncodings)){
-                throw new Exception('Encoding type not supported.');
+            if (!in_array($encoding, self::SUPPORTED_ENCODINGS, true)) {
+                throw new EncodingNotSupportedException(
+                    sprintf('Encoding "%s" is not supported.', $encoding)
+                );
             }
             $this->encoding = $encoding;
         }
-        $this->htmlSpecialCharsFlags = \ENT_QUOTES | \ENT_SUBSTITUTE;
-        $this->htmlAttrMatcher = [$this, 'htmlAttrMatcher'];
-        $this->jsMatcher = [$this, 'jsMatcher'];
-        $this->cssMatcher = [$this, 'cssMatcher'];
     }
 
+    /**
+     * @return string The lower-cased output encoding.
+     */
     public function getEncoding(): string
     {
         return $this->encoding;
     }
 
+    /**
+     * Escape a string for output between HTML body tags.
+     *
+     * Suitable for: `<div>HERE</div>`, `<p>HERE</p>`.
+     *
+     * Not suitable for attributes, scripts, styles or URLs — use the dedicated
+     * helper for each of those contexts.
+     */
     public function escHtml(string $string): string
     {
-        return htmlspecialchars($string, $this->htmlSpecialCharsFlags, $this->encoding);
+        return htmlspecialchars($string, self::HTML_SPECIAL_CHARS_FLAGS, $this->encoding);
     }
 
+    /**
+     * Escape a string for use inside an HTML attribute value.
+     *
+     * Safe for quoted, single-quoted and unquoted attribute values. Every
+     * character outside `[A-Za-z0-9,.\-_]` is rewritten as a numeric or named
+     * HTML entity.
+     *
+     * @throws InvalidUtf8Exception        When the input cannot be expressed as UTF-8.
+     * @throws EncodingConversionException When iconv/mbstring fail to convert.
+     */
     public function escHtmlAttr(string $str): string
     {
         $str = $this->toUtf8($str);
-        if($str === '' || ctype_digit($str)){
+        if ($str === '' || ctype_digit($str)) {
             return $str;
         }
-        $res = preg_replace_callback('/[^a-z0-9,\.\-_]/iSu', $this->htmlAttrMatcher, $str);
-        return $this->fromUTF8($res);
+        $result = preg_replace_callback(
+            '/[^a-z0-9,\.\-_]/iSu',
+            [$this, 'htmlAttrMatcher'],
+            $str
+        );
+
+        return $this->fromUtf8($result ?? '');
     }
 
+    /**
+     * Escape a string so it can be embedded inside a JavaScript string literal.
+     *
+     * The caller is responsible for wrapping the result in matching quotes,
+     * for example `var foo = "<?= $esc->escJs($value) ?>";`.
+     *
+     * @throws InvalidUtf8Exception        When the input cannot be expressed as UTF-8.
+     * @throws EncodingConversionException When iconv/mbstring fail to convert.
+     */
     public function escJs(string $str): string
     {
         $str = $this->toUtf8($str);
-        if($str === '' || ctype_digit($str)){
+        if ($str === '' || ctype_digit($str)) {
             return $str;
         }
-        $res = preg_replace_callback('/[^a-z0-9,\._]/iSu', $this->jsMatcher, $str);
-        return $this->fromUTF8($res);
+        $result = preg_replace_callback(
+            '/[^a-z0-9,\._]/iSu',
+            [$this, 'jsMatcher'],
+            $str
+        );
+
+        return $this->fromUtf8($result ?? '');
     }
 
+    /**
+     * Percent-encode a string for safe inclusion in a URL component.
+     *
+     * Thin wrapper around {@see rawurlencode()} kept here so callers can reach
+     * every escape context through a single object.
+     */
     public function escUrl(string $str): string
     {
         return rawurlencode($str);
     }
 
+    /**
+     * Escape a string for use inside a CSS value.
+     *
+     * Every non-alphanumeric character is rewritten as `\HEX ` (with the
+     * trailing space being the CSS escape terminator).
+     *
+     * @throws InvalidUtf8Exception        When the input cannot be expressed as UTF-8.
+     * @throws EncodingConversionException When iconv/mbstring fail to convert.
+     */
     public function escCss(string $str): string
     {
         $str = $this->toUtf8($str);
-        if($str === '' || ctype_digit($str)){
+        if ($str === '' || ctype_digit($str)) {
             return $str;
         }
-        $res = preg_replace_callback('/[^a-z0-9]/iSu', $this->cssMatcher, $str);
-        return $this->fromUTF8($res);
+        $result = preg_replace_callback(
+            '/[^a-z0-9]/iSu',
+            [$this, 'cssMatcher'],
+            $str
+        );
+
+        return $this->fromUtf8($result ?? '');
     }
 
-    protected function htmlAttrMatcher($matches): string
+    /**
+     * Callback for {@see escHtmlAttr()}.
+     *
+     * @param array<int, string> $matches
+     */
+    protected function htmlAttrMatcher(array $matches): string
     {
         $chr = $matches[0];
-        $ord = ord($chr);
-        if(($ord <= 0x1f && $chr !== "\t" && $chr !== "\n" && $chr !== "\r") || ($ord >= 0x7f && $ord <= 0x9f)){
-            return '&#xFFFD;';
-        }
-        if(strlen($chr) > 1){
+        if (strlen($chr) > 1) {
             $chr = $this->convertEncoding($chr, 'UTF-32BE', 'UTF-8');
         }
-        $hex = bin2hex($chr);
-        $ord = hexdec($hex);
-        if(isset(static::$htmlNamedEntityMap[$ord])){
-            return '&' . static::$htmlNamedEntityMap[$ord] . ';';
+
+        $ord = (int) hexdec(bin2hex($chr));
+
+        // C0 (except tab/LF/CR) and C1 controls are not valid in HTML and
+        // must be replaced with the Unicode replacement character. The check
+        // is performed on the decoded code point so it also catches U+0080
+        // through U+009F when they arrive in multibyte UTF-8 form.
+        if (
+            ($ord <= 0x1F && $ord !== 0x09 && $ord !== 0x0A && $ord !== 0x0D)
+            || ($ord >= 0x7F && $ord <= 0x9F)
+        ) {
+            return '&#xFFFD;';
+        }
+
+        if (isset(self::HTML_NAMED_ENTITY_MAP[$ord])) {
+            return '&' . self::HTML_NAMED_ENTITY_MAP[$ord] . ';';
         }
-        if($ord > 255){
+
+        if ($ord > 255) {
             return sprintf('&#x%04X;', $ord);
         }
+
         return sprintf('&#x%02X;', $ord);
     }
 
-    protected function jsMatcher($matches): string
+    /**
+     * Callback for {@see escJs()}. Emits `\xNN` for single-byte characters
+     * and `\uXXXX` (or surrogate-pair `\uXXXX\uXXXX`) for multibyte ones.
+     *
+     * @param array<int, string> $matches
+     */
+    protected function jsMatcher(array $matches): string
     {
         $chr = $matches[0];
-        if(strlen($chr) === 1){
+        if (strlen($chr) === 1) {
             return sprintf('\\x%02X', ord($chr));
         }
+
         $chr = $this->convertEncoding($chr, 'UTF-16BE', 'UTF-8');
         $hex = strtoupper(bin2hex($chr));
-        if(strlen($hex) <= 4){
+
+        if (strlen($hex) <= 4) {
             return sprintf('\\u%04s', $hex);
         }
+
         $highSurrogate = substr($hex, 0, 4);
-        $lowSurrogate = substr($hex, 4, 4);
+        $lowSurrogate  = substr($hex, 4, 4);
+
         return sprintf('\\u%04s\\u%04s', $highSurrogate, $lowSurrogate);
     }
 
-    protected function cssMatcher($matches): string
+    /**
+     * Callback for {@see escCss()}. Emits `\HEX ` with the mandatory trailing
+     * space that terminates a CSS escape sequence.
+     *
+     * @param array<int, string> $matches
+     */
+    protected function cssMatcher(array $matches): string
     {
         $chr = $matches[0];
-        if(strlen($chr) === 1){
+        if (strlen($chr) === 1) {
             $ord = ord($chr);
-        }else{
+        } else {
             $chr = $this->convertEncoding($chr, 'UTF-32BE', 'UTF-8');
-            $ord = hexdec(bin2hex($chr));
+            $ord = (int) hexdec(bin2hex($chr));
         }
+
         return sprintf('\\%X ', $ord);
     }
 
-    protected function toUtf8($string)
+    /**
+     * Convert the input to UTF-8 (if it is not already) and assert that the
+     * result is well-formed.
+     *
+     * @throws InvalidUtf8Exception        When the result is not valid UTF-8.
+     * @throws EncodingConversionException When iconv/mbstring fail to convert.
+     */
+    protected function toUtf8(string $string): string
     {
-        if($this->encoding === 'utf-8'){
-            $res = $string;
-        }else{
-            $res = $this->convertEncoding($string, 'UTF-8', $this->encoding);
+        if ($this->encoding === 'utf-8') {
+            $result = $string;
+        } else {
+            $result = $this->convertEncoding($string, 'UTF-8', $this->encoding);
         }
-        if(!$this->isUTF8($res)){
-            throw new Exception(sprintf('String to be escaped was not valid UTF-8 or could not be converted: %s', $res));
+
+        if (!$this->isUtf8($result)) {
+            throw new InvalidUtf8Exception(
+                'String to be escaped was not valid UTF-8 or could not be converted.'
+            );
         }
-        return $res;
+
+        return $result;
     }
 
-    protected function isUTF8($str): bool
+    /**
+     * Convert a UTF-8 string back to the configured output encoding.
+     *
+     * @throws EncodingConversionException When iconv/mbstring fail to convert.
+     */
+    protected function fromUtf8(string $str): string
     {
-        return $str === '' || preg_match('/^./su', $str);
+        if ($this->encoding === 'utf-8') {
+            return $str;
+        }
+
+        return $this->convertEncoding($str, $this->encoding, 'UTF-8');
     }
 
-    protected function convertEncoding($str, $to, $from)
+    /**
+     * Tell whether a string is well-formed UTF-8.
+     */
+    protected function isUtf8(string $str): bool
     {
-        if(function_exists('iconv')){
-            $res = \iconv($from, $to, $str);
-        }elseif(function_exists('mb_convert_encoding')){
-            $res = \mb_convert_encoding($str, $to, $from);
-        }else{
-            throw new Exception('The MB_String plugin is required.');
-        }
-        if($res === FALSE){
-            return '';
-        }
-        return $res;
+        return $str === '' || preg_match('/^./su', $str) === 1;
     }
 
-    protected function fromUTF8($str)
+    /**
+     * Convert a string between two encodings using iconv (preferred) or
+     * mbstring (fallback).
+     *
+     * @param string $str  The source string.
+     * @param string $to   The target encoding name.
+     * @param string $from The source encoding name.
+     *
+     * @throws EncodingConversionException When neither extension is available,
+     *                                     or when the conversion fails.
+     */
+    protected function convertEncoding(string $str, string $to, string $from): string
     {
-        if($this->encoding === 'utf-8'){
-            return $str;
+        if (function_exists('iconv')) {
+            $result = @iconv($from, $to, $str);
+        } elseif (function_exists('mb_convert_encoding')) {
+            $result = @mb_convert_encoding($str, $to, $from);
+        } else {
+            throw new EncodingConversionException(
+                'Either ext-iconv or ext-mbstring is required to convert string encodings.'
+            );
         }
-        return $this->convertEncoding($str, $this->encoding, 'UTF-8');
-    }
 
+        if ($result === false) {
+            throw new EncodingConversionException(
+                sprintf('Failed to convert string from "%s" to "%s".', $from, $to)
+            );
+        }
+
+        return $result;
+    }
 }
diff --git a/src/Exception/EncodingConversionException.php b/src/Exception/EncodingConversionException.php
new file mode 100644
index 0000000..b38ab4a
--- /dev/null
+++ b/src/Exception/EncodingConversionException.php
@@ -0,0 +1,13 @@
+<?php
+
+declare(strict_types=1);
+
+namespace InitPHP\Escaper\Exception;
+
+/**
+ * Thrown when the underlying iconv or mbstring extension fails to convert a
+ * string between two encodings, or when neither extension is available.
+ */
+class EncodingConversionException extends EscaperException
+{
+}
diff --git a/src/Exception/EncodingNotSupportedException.php b/src/Exception/EncodingNotSupportedException.php
new file mode 100644
index 0000000..3f9d552
--- /dev/null
+++ b/src/Exception/EncodingNotSupportedException.php
@@ -0,0 +1,13 @@
+<?php
+
+declare(strict_types=1);
+
+namespace InitPHP\Escaper\Exception;
+
+/**
+ * Thrown when the encoding requested at construction time is not part of the
+ * supported whitelist.
+ */
+class EncodingNotSupportedException extends EscaperException
+{
+}
diff --git a/src/Exception/EscaperException.php b/src/Exception/EscaperException.php
new file mode 100644
index 0000000..f5bf47a
--- /dev/null
+++ b/src/Exception/EscaperException.php
@@ -0,0 +1,17 @@
+<?php
+
+declare(strict_types=1);
+
+namespace InitPHP\Escaper\Exception;
+
+use RuntimeException;
+
+/**
+ * Base exception for all escaper-related failures.
+ *
+ * Catch this type to handle any failure originating from the escaper,
+ * regardless of the specific cause.
+ */
+class EscaperException extends RuntimeException
+{
+}
diff --git a/src/Exception/InvalidContextException.php b/src/Exception/InvalidContextException.php
new file mode 100644
index 0000000..1d7a1ec
--- /dev/null
+++ b/src/Exception/InvalidContextException.php
@@ -0,0 +1,13 @@
+<?php
+
+declare(strict_types=1);
+
+namespace InitPHP\Escaper\Exception;
+
+/**
+ * Thrown by {@see \InitPHP\Escaper\Esc::esc()} when an unknown escape context
+ * is requested (anything other than html, attr, js, css, url, raw).
+ */
+class InvalidContextException extends EscaperException
+{
+}
diff --git a/src/Exception/InvalidUtf8Exception.php b/src/Exception/InvalidUtf8Exception.php
new file mode 100644
index 0000000..3236b6c
--- /dev/null
+++ b/src/Exception/InvalidUtf8Exception.php
@@ -0,0 +1,13 @@
+<?php
+
+declare(strict_types=1);
+
+namespace InitPHP\Escaper\Exception;
+
+/**
+ * Thrown when a string is not — and cannot be converted to — valid UTF-8
+ * before being passed to a context escaper.
+ */
+class InvalidUtf8Exception extends EscaperException
+{
+}
diff --git a/tests/EscTest.php b/tests/EscTest.php
new file mode 100644
index 0000000..656b768
--- /dev/null
+++ b/tests/EscTest.php
@@ -0,0 +1,152 @@
+<?php
+
+declare(strict_types=1);
+
+namespace InitPHP\Escaper\Tests;
+
+use InitPHP\Escaper\Esc;
+use InitPHP\Escaper\Exception\EncodingNotSupportedException;
+use InitPHP\Escaper\Exception\InvalidContextException;
+use PHPUnit\Framework\TestCase;
+use stdClass;
+
+final class EscTest extends TestCase
+{
+    protected function setUp(): void
+    {
+        Esc::reset();
+    }
+
+    public function testHtmlContextIsDefault(): void
+    {
+        self::assertSame(
+            '&lt;b&gt;hi&lt;/b&gt;',
+            Esc::esc('<b>hi</b>')
+        );
+    }
+
+    public function testEachContextDispatchesToTheCorrectEscaper(): void
+    {
+        self::assertSame('&lt;b&gt;', Esc::esc('<b>',  'html'));
+        self::assertSame('&lt;',      Esc::esc('<',    'attr'));
+        self::assertSame('\\x3C',     Esc::esc('<',    'js'));
+        self::assertSame('\\3C ',     Esc::esc('<',    'css'));
+        self::assertSame('%3C',       Esc::esc('<',    'url'));
+    }
+
+    public function testContextLookupIsCaseInsensitive(): void
+    {
+        self::assertSame('&lt;', Esc::esc('<', 'HTML'));
+        self::assertSame('&lt;', Esc::esc('<', 'Attr'));
+    }
+
+    public function testRawContextReturnsInputUnchanged(): void
+    {
+        self::assertSame('<b>raw</b>', Esc::esc('<b>raw</b>', 'raw'));
+    }
+
+    public function testEmptyContextStringReturnsInputUnchanged(): void
+    {
+        self::assertSame('<b>raw</b>', Esc::esc('<b>raw</b>', ''));
+    }
+
+    public function testInvalidContextThrows(): void
+    {
+        $this->expectException(InvalidContextException::class);
+        $this->expectExceptionMessage('Invalid escape context "xml".');
+
+        Esc::esc('<b>x</b>', 'xml');
+    }
+
+    public function testArrayIsEscapedRecursively(): void
+    {
+        $input = [
+            'a' => '<x>',
+            'b' => ['c' => '<y>', 'd' => ['e' => '<z>']],
+        ];
+
+        self::assertSame(
+            [
+                'a' => '&lt;x&gt;',
+                'b' => ['c' => '&lt;y&gt;', 'd' => ['e' => '&lt;z&gt;']],
+            ],
+            Esc::esc($input)
+        );
+    }
+
+    public function testNonStringNonArrayValuesArePassedThrough(): void
+    {
+        self::assertSame(42,    Esc::esc(42));
+        self::assertSame(3.14,  Esc::esc(3.14));
+        self::assertTrue(Esc::esc(true));
+        self::assertNull(Esc::esc(null));
+
+        $object = new stdClass();
+        self::assertSame($object, Esc::esc($object));
+    }
+
+    public function testNonStringValuesInsideArrayArePreserved(): void
+    {
+        $input = ['a' => '<x>', 'b' => 1, 'c' => null, 'd' => true];
+
+        self::assertSame(
+            ['a' => '&lt;x&gt;', 'b' => 1, 'c' => null, 'd' => true],
+            Esc::esc($input)
+        );
+    }
+
+    public function testEncodingIsPropagatedThroughRecursiveCalls(): void
+    {
+        // ISO-8859-1 byte for "é"
+        $input = ['greeting' => "\xE9"];
+
+        $output = Esc::esc($input, 'html', 'iso-8859-1');
+
+        self::assertSame(['greeting' => "\xE9"], $output);
+    }
+
+    public function testInstancesAreMemoisedPerEncoding(): void
+    {
+        // Two consecutive default calls must reuse the same Escaper.
+        Esc::reset();
+        Esc::esc('a');
+        Esc::esc('b');
+
+        $reflection = new \ReflectionClass(Esc::class);
+        $property   = $reflection->getProperty('instances');
+        $property->setAccessible(true);
+
+        /** @var array<string, object> $instances */
+        $instances = $property->getValue();
+
+        self::assertCount(1, $instances);
+        self::assertArrayHasKey('utf-8', $instances);
+    }
+
+    public function testDifferentEncodingsAreCachedIndependently(): void
+    {
+        Esc::reset();
+        Esc::esc('a', 'html');
+        Esc::esc('a', 'html', 'iso-8859-1');
+        Esc::esc('a', 'html', 'windows-1252');
+
+        $reflection = new \ReflectionClass(Esc::class);
+        $property   = $reflection->getProperty('instances');
+        $property->setAccessible(true);
+
+        /** @var array<string, object> $instances */
+        $instances = $property->getValue();
+
+        self::assertCount(3, $instances);
+        self::assertArrayHasKey('utf-8',        $instances);
+        self::assertArrayHasKey('iso-8859-1',   $instances);
+        self::assertArrayHasKey('windows-1252', $instances);
+    }
+
+    public function testInvalidEncodingPropagatesAsEncodingException(): void
+    {
+        $this->expectException(EncodingNotSupportedException::class);
+
+        Esc::esc('a', 'html', 'not-a-real-encoding');
+    }
+}
diff --git a/tests/EscaperCssTest.php b/tests/EscaperCssTest.php
new file mode 100644
index 0000000..bdc761c
--- /dev/null
+++ b/tests/EscaperCssTest.php
@@ -0,0 +1,66 @@
+<?php
+
+declare(strict_types=1);
+
+namespace InitPHP\Escaper\Tests;
+
+use InitPHP\Escaper\Escaper;
+use PHPUnit\Framework\TestCase;
+
+final class EscaperCssTest extends TestCase
+{
+    private Escaper $escaper;
+
+    protected function setUp(): void
+    {
+        $this->escaper = new Escaper();
+    }
+
+    public function testEmptyStringShortCircuits(): void
+    {
+        self::assertSame('', $this->escaper->escCss(''));
+    }
+
+    public function testDigitsOnlyShortCircuits(): void
+    {
+        self::assertSame('42', $this->escaper->escCss('42'));
+    }
+
+    public function testAlphanumericPassesThroughUnchanged(): void
+    {
+        self::assertSame('abcXYZ123', $this->escaper->escCss('abcXYZ123'));
+    }
+
+    public function testSingleByteSpecialCharsBecomeHexEscape(): void
+    {
+        // CSS escape is "\HEX " with a mandatory terminating space.
+        self::assertSame('\\20 ', $this->escaper->escCss(' '));
+        self::assertSame('\\7B ', $this->escaper->escCss('{'));
+        self::assertSame('\\7D ', $this->escaper->escCss('}'));
+        self::assertSame('\\27 ', $this->escaper->escCss("'"));
+        self::assertSame('\\22 ', $this->escaper->escCss('"'));
+    }
+
+    public function testStyleBreakoutVectorIsEscaped(): void
+    {
+        $input  = '</style><script>alert(1)</script>';
+        $output = $this->escaper->escCss($input);
+
+        self::assertSame(
+            '\\3C \\2F style\\3E \\3C script\\3E alert\\28 1\\29 \\3C \\2F script\\3E ',
+            $output
+        );
+    }
+
+    public function testBmpMultibyteCharacterBecomesHexEscape(): void
+    {
+        // U+015F LATIN SMALL LETTER S WITH CEDILLA (ş)
+        self::assertSame('\\15F ', $this->escaper->escCss('ş'));
+    }
+
+    public function testSupplementaryPlaneCharacterBecomesHexEscape(): void
+    {
+        // U+1F680 → 1F680 in hex.
+        self::assertSame('\\1F680 ', $this->escaper->escCss('🚀'));
+    }
+}
diff --git a/tests/EscaperEncodingTest.php b/tests/EscaperEncodingTest.php
new file mode 100644
index 0000000..60ae31e
--- /dev/null
+++ b/tests/EscaperEncodingTest.php
@@ -0,0 +1,76 @@
+<?php
+
+declare(strict_types=1);
+
+namespace InitPHP\Escaper\Tests;
+
+use InitPHP\Escaper\Escaper;
+use InitPHP\Escaper\Exception\EncodingNotSupportedException;
+use InitPHP\Escaper\Exception\EscaperException;
+use InitPHP\Escaper\Exception\InvalidUtf8Exception;
+use PHPUnit\Framework\TestCase;
+
+final class EscaperEncodingTest extends TestCase
+{
+    public function testDefaultsToUtf8(): void
+    {
+        self::assertSame('utf-8', (new Escaper())->getEncoding());
+    }
+
+    public function testNullEncodingResolvesToUtf8(): void
+    {
+        self::assertSame('utf-8', (new Escaper(null))->getEncoding());
+    }
+
+    public function testEmptyStringEncodingResolvesToUtf8(): void
+    {
+        self::assertSame('utf-8', (new Escaper(''))->getEncoding());
+    }
+
+    public function testEncodingLookupIsCaseInsensitive(): void
+    {
+        self::assertSame('utf-8',        (new Escaper('UTF-8'))->getEncoding());
+        self::assertSame('windows-1252', (new Escaper('Windows-1252'))->getEncoding());
+        self::assertSame('iso-8859-1',   (new Escaper('ISO-8859-1'))->getEncoding());
+    }
+
+    public function testUnsupportedEncodingThrows(): void
+    {
+        $this->expectException(EncodingNotSupportedException::class);
+        $this->expectExceptionMessage('Encoding "utf-16" is not supported.');
+
+        new Escaper('utf-16');
+    }
+
+    public function testEncodingExceptionIsAnEscaperException(): void
+    {
+        try {
+            new Escaper('not-a-real-encoding');
+            self::fail('Expected EncodingNotSupportedException');
+        } catch (EscaperException $e) {
+            self::assertInstanceOf(EncodingNotSupportedException::class, $e);
+        }
+    }
+
+    public function testNonUtf8InputIsConvertedThenEscaped(): void
+    {
+        $escaper = new Escaper('iso-8859-1');
+
+        // ISO-8859-1 byte 0xE9 == "é". When fed in as a single byte the
+        // escaper must first decode it to UTF-8, then re-encode the output
+        // back to ISO-8859-1.
+        $output = $escaper->escHtml("\xE9");
+
+        // htmlspecialchars receives 'é' in UTF-8 and leaves it alone, but
+        // returns it encoded back to ISO-8859-1 → 0xE9.
+        self::assertSame("\xE9", $output);
+    }
+
+    public function testInvalidUtf8InAttributeContextThrows(): void
+    {
+        $this->expectException(InvalidUtf8Exception::class);
+
+        // 0xC3 0x28 is a broken 2-byte sequence.
+        (new Escaper())->escHtmlAttr("\xC3\x28");
+    }
+}
diff --git a/tests/EscaperHtmlAttrTest.php b/tests/EscaperHtmlAttrTest.php
new file mode 100644
index 0000000..831d2f2
--- /dev/null
+++ b/tests/EscaperHtmlAttrTest.php
@@ -0,0 +1,99 @@
+<?php
+
+declare(strict_types=1);
+
+namespace InitPHP\Escaper\Tests;
+
+use InitPHP\Escaper\Escaper;
+use PHPUnit\Framework\TestCase;
+
+final class EscaperHtmlAttrTest extends TestCase
+{
+    private Escaper $escaper;
+
+    protected function setUp(): void
+    {
+        $this->escaper = new Escaper();
+    }
+
+    public function testEmptyStringShortCircuits(): void
+    {
+        self::assertSame('', $this->escaper->escHtmlAttr(''));
+    }
+
+    public function testDigitsOnlyShortCircuits(): void
+    {
+        self::assertSame('12345', $this->escaper->escHtmlAttr('12345'));
+    }
+
+    public function testWhitelistCharactersPassThrough(): void
+    {
+        self::assertSame(
+            'abc,XYZ.-_0123',
+            $this->escaper->escHtmlAttr('abc,XYZ.-_0123')
+        );
+    }
+
+    public function testQuotelessAttributeInjectionVector(): void
+    {
+        $input = 'faketitle onmouseover=alert(/InitPHP!/);';
+
+        self::assertSame(
+            'faketitle&#x20;onmouseover&#x3D;alert&#x28;&#x2F;InitPHP&#x21;&#x2F;&#x29;&#x3B;',
+            $this->escaper->escHtmlAttr($input)
+        );
+    }
+
+    public function testNamedEntitiesPreferredOverNumericForms(): void
+    {
+        self::assertSame('&quot;', $this->escaper->escHtmlAttr('"'));
+        self::assertSame('&amp;',  $this->escaper->escHtmlAttr('&'));
+        self::assertSame('&lt;',   $this->escaper->escHtmlAttr('<'));
+        self::assertSame('&gt;',   $this->escaper->escHtmlAttr('>'));
+    }
+
+    public function testControlCharactersBecomeReplacementCharacter(): void
+    {
+        // 0x00, 0x01, 0x1B all fall into the C0 range and must not survive.
+        self::assertSame('&#xFFFD;', $this->escaper->escHtmlAttr("\x00"));
+        self::assertSame('&#xFFFD;', $this->escaper->escHtmlAttr("\x01"));
+        self::assertSame('&#xFFFD;', $this->escaper->escHtmlAttr("\x1B"));
+    }
+
+    public function testTabLineFeedAndCarriageReturnAreEscapedNotReplaced(): void
+    {
+        // Tab/LF/CR are explicitly exempted from the replacement rule.
+        self::assertSame('&#x09;', $this->escaper->escHtmlAttr("\t"));
+        self::assertSame('&#x0A;', $this->escaper->escHtmlAttr("\n"));
+        self::assertSame('&#x0D;', $this->escaper->escHtmlAttr("\r"));
+    }
+
+    public function testC1ControlsBecomeReplacementCharacter(): void
+    {
+        // U+007F DEL (single-byte UTF-8).
+        self::assertSame('&#xFFFD;', $this->escaper->escHtmlAttr("\x7F"));
+        // U+0080 PADDING CHARACTER (multibyte UTF-8: 0xC2 0x80).
+        self::assertSame('&#xFFFD;', $this->escaper->escHtmlAttr("\xC2\x80"));
+        // U+009F APPLICATION PROGRAM COMMAND (multibyte UTF-8: 0xC2 0x9F).
+        self::assertSame('&#xFFFD;', $this->escaper->escHtmlAttr("\xC2\x9F"));
+    }
+
+    public function testU00A0IsEscapedNotReplaced(): void
+    {
+        // U+00A0 NO-BREAK SPACE sits just outside the C1 range and must be
+        // escaped as a normal character, not replaced.
+        self::assertSame('&#xA0;', $this->escaper->escHtmlAttr("\xC2\xA0"));
+    }
+
+    public function testBmpMultibyteCharacterUsesFourDigitHex(): void
+    {
+        // U+015F LATIN SMALL LETTER S WITH CEDILLA (ş)
+        self::assertSame('&#x015F;', $this->escaper->escHtmlAttr('ş'));
+    }
+
+    public function testSupplementaryPlaneCharacterEmitsFullHex(): void
+    {
+        // U+1F680 ROCKET — beyond the BMP.
+        self::assertSame('&#x1F680;', $this->escaper->escHtmlAttr('🚀'));
+    }
+}
diff --git a/tests/EscaperHtmlTest.php b/tests/EscaperHtmlTest.php
new file mode 100644
index 0000000..966260d
--- /dev/null
+++ b/tests/EscaperHtmlTest.php
@@ -0,0 +1,65 @@
+<?php
+
+declare(strict_types=1);
+
+namespace InitPHP\Escaper\Tests;
+
+use InitPHP\Escaper\Escaper;
+use PHPUnit\Framework\TestCase;
+
+final class EscaperHtmlTest extends TestCase
+{
+    private Escaper $escaper;
+
+    protected function setUp(): void
+    {
+        $this->escaper = new Escaper();
+    }
+
+    public function testEscapesAngleBracketsAndQuotes(): void
+    {
+        $input  = '<script>alert("xss")</script>';
+        $output = $this->escaper->escHtml($input);
+
+        self::assertSame(
+            '&lt;script&gt;alert(&quot;xss&quot;)&lt;/script&gt;',
+            $output
+        );
+    }
+
+    public function testEscapesSingleQuoteWithEntQuotes(): void
+    {
+        self::assertSame('&#039;', $this->escaper->escHtml("'"));
+    }
+
+    public function testEscapesAmpersand(): void
+    {
+        self::assertSame('Tom &amp; Jerry', $this->escaper->escHtml('Tom & Jerry'));
+    }
+
+    public function testEmptyStringReturnsEmptyString(): void
+    {
+        self::assertSame('', $this->escaper->escHtml(''));
+    }
+
+    public function testPlainAsciiPassesThroughUnchanged(): void
+    {
+        self::assertSame('Hello, world!', $this->escaper->escHtml('Hello, world!'));
+    }
+
+    public function testMultibyteCharactersPassThroughInUtf8(): void
+    {
+        // htmlspecialchars only touches &, <, >, ", ' — multibyte stays.
+        self::assertSame('Merhaba dünya — şŞıİğĞ', $this->escaper->escHtml('Merhaba dünya — şŞıİğĞ'));
+    }
+
+    public function testInvalidByteSequenceIsReplacedNotDropped(): void
+    {
+        // ENT_SUBSTITUTE replaces malformed UTF-8 with U+FFFD instead of
+        // returning an empty string (the unsafe ENT_IGNORE behaviour).
+        $invalid = "\xC3\x28"; // invalid 2-byte sequence
+        $output  = $this->escaper->escHtml($invalid);
+
+        self::assertNotSame('', $output);
+    }
+}
diff --git a/tests/EscaperJsTest.php b/tests/EscaperJsTest.php
new file mode 100644
index 0000000..42a9c22
--- /dev/null
+++ b/tests/EscaperJsTest.php
@@ -0,0 +1,63 @@
+<?php
+
+declare(strict_types=1);
+
+namespace InitPHP\Escaper\Tests;
+
+use InitPHP\Escaper\Escaper;
+use PHPUnit\Framework\TestCase;
+
+final class EscaperJsTest extends TestCase
+{
+    private Escaper $escaper;
+
+    protected function setUp(): void
+    {
+        $this->escaper = new Escaper();
+    }
+
+    public function testEmptyStringShortCircuits(): void
+    {
+        self::assertSame('', $this->escaper->escJs(''));
+    }
+
+    public function testDigitsOnlyShortCircuits(): void
+    {
+        self::assertSame('98765', $this->escaper->escJs('98765'));
+    }
+
+    public function testWhitelistCharactersPassThrough(): void
+    {
+        self::assertSame('abc,XYZ._0', $this->escaper->escJs('abc,XYZ._0'));
+    }
+
+    public function testEntityBasedInjectionVectorIsEscaped(): void
+    {
+        $input = 'bar&quot;; alert(&quot;Hello!&quot;); var xss=&quot;true';
+
+        self::assertSame(
+            'bar\\x26quot\\x3B\\x3B\\x20alert\\x28\\x26quot\\x3BHello\\x21\\x26quot\\x3B\\x29\\x3B\\x20var\\x20xss\\x3D\\x26quot\\x3Btrue',
+            $this->escaper->escJs($input)
+        );
+    }
+
+    public function testSingleByteSpecialCharsBecomeHexEscapes(): void
+    {
+        self::assertSame('\\x20', $this->escaper->escJs(' '));
+        self::assertSame('\\x22', $this->escaper->escJs('"'));
+        self::assertSame('\\x2F', $this->escaper->escJs('/'));
+        self::assertSame('\\x3C', $this->escaper->escJs('<'));
+    }
+
+    public function testBmpMultibyteCharacterBecomesUnicodeEscape(): void
+    {
+        // U+015F LATIN SMALL LETTER S WITH CEDILLA (ş)
+        self::assertSame('\\u015F', $this->escaper->escJs('ş'));
+    }
+
+    public function testSupplementaryPlaneCharacterBecomesSurrogatePair(): void
+    {
+        // U+1F680 → high surrogate D83D + low surrogate DE80
+        self::assertSame('\\uD83D\\uDE80', $this->escaper->escJs('🚀'));
+    }
+}
diff --git a/tests/EscaperUrlTest.php b/tests/EscaperUrlTest.php
new file mode 100644
index 0000000..043fd51
--- /dev/null
+++ b/tests/EscaperUrlTest.php
@@ -0,0 +1,45 @@
+<?php
+
+declare(strict_types=1);
+
+namespace InitPHP\Escaper\Tests;
+
+use InitPHP\Escaper\Escaper;
+use PHPUnit\Framework\TestCase;
+
+final class EscaperUrlTest extends TestCase
+{
+    private Escaper $escaper;
+
+    protected function setUp(): void
+    {
+        $this->escaper = new Escaper();
+    }
+
+    public function testEmptyStringReturnsEmptyString(): void
+    {
+        self::assertSame('', $this->escaper->escUrl(''));
+    }
+
+    public function testRfc3986UnreservedCharactersAreNotEncoded(): void
+    {
+        self::assertSame('Hello.world-1_2~3', $this->escaper->escUrl('Hello.world-1_2~3'));
+    }
+
+    public function testSpaceIsPercentEncodedAsPercent20(): void
+    {
+        // rawurlencode (RFC 3986) — not "+" like urlencode.
+        self::assertSame('foo%20bar', $this->escaper->escUrl('foo bar'));
+    }
+
+    public function testJavascriptInjectionVectorIsPercentEncoded(): void
+    {
+        $input  = '" onmouseover="alert(\'hello\')';
+        $output = $this->escaper->escUrl($input);
+
+        self::assertSame(
+            '%22%20onmouseover%3D%22alert%28%27hello%27%29',
+            $output
+        );
+    }
+}
diff --git a/tests/ExceptionHierarchyTest.php b/tests/ExceptionHierarchyTest.php
new file mode 100644
index 0000000..3dc3fe9
--- /dev/null
+++ b/tests/ExceptionHierarchyTest.php
@@ -0,0 +1,45 @@
+<?php
+
+declare(strict_types=1);
+
+namespace InitPHP\Escaper\Tests;
+
+use InitPHP\Escaper\Exception\EncodingConversionException;
+use InitPHP\Escaper\Exception\EncodingNotSupportedException;
+use InitPHP\Escaper\Exception\EscaperException;
+use InitPHP\Escaper\Exception\InvalidContextException;
+use InitPHP\Escaper\Exception\InvalidUtf8Exception;
+use PHPUnit\Framework\TestCase;
+use RuntimeException;
+
+/**
+ * Locks the package exception tree in place so a future refactor that
+ * accidentally re-parents an exception fails loudly.
+ */
+final class ExceptionHierarchyTest extends TestCase
+{
+    public function testBaseExtendsRuntimeException(): void
+    {
+        self::assertTrue(is_subclass_of(EscaperException::class, RuntimeException::class));
+    }
+
+    public function testEncodingNotSupportedExtendsBase(): void
+    {
+        self::assertTrue(is_subclass_of(EncodingNotSupportedException::class, EscaperException::class));
+    }
+
+    public function testEncodingConversionExtendsBase(): void
+    {
+        self::assertTrue(is_subclass_of(EncodingConversionException::class, EscaperException::class));
+    }
+
+    public function testInvalidContextExtendsBase(): void
+    {
+        self::assertTrue(is_subclass_of(InvalidContextException::class, EscaperException::class));
+    }
+
+    public function testInvalidUtf8ExtendsBase(): void
+    {
+        self::assertTrue(is_subclass_of(InvalidUtf8Exception::class, EscaperException::class));
+    }
+}

From 188eb3ced643234040a26ed5715efcb9d9aabba5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Muhammet=20=C5=9Eafak?= <info@muhammetsafak.com.tr>
Date: Mon, 25 May 2026 08:52:39 +0300
Subject: [PATCH 2/4] Update Composer dependencies and add PHP-CS-Fixer
 configuration file

---
 .gitattributes                   | 17 ++++++++-------
 .github/workflows/ci.yml         | 34 +++++++++++++++++++++++++++++
 .gitignore                       |  1 +
 .php-cs-fixer.dist.php           | 32 +++++++++++++++++++++++++++
 Examples/Attr.php                | 23 --------------------
 Examples/Css.php                 | 28 ------------------------
 Examples/Html.php                | 20 -----------------
 Examples/Js.php                  | 24 ---------------------
 Examples/Url.php                 | 21 ------------------
 README.md                        | 11 +++++++++-
 composer.json                    | 22 +++++++++++++++++--
 phpstan.neon.dist                |  6 ++++++
 src/Esc.php                      | 29 ++++++++++++++-----------
 src/Escaper.php                  | 37 ++++++++++++++------------------
 tests/EscTest.php                | 18 ++++++++--------
 tests/EscaperEncodingTest.php    |  4 ++--
 tests/EscaperHtmlAttrTest.php    |  6 +++---
 tests/ExceptionHierarchyTest.php | 25 ++++++++++++++++-----
 18 files changed, 178 insertions(+), 180 deletions(-)
 create mode 100644 .php-cs-fixer.dist.php
 delete mode 100644 Examples/Attr.php
 delete mode 100644 Examples/Css.php
 delete mode 100644 Examples/Html.php
 delete mode 100644 Examples/Js.php
 delete mode 100644 Examples/Url.php
 create mode 100644 phpstan.neon.dist

diff --git a/.gitattributes b/.gitattributes
index 44fa4dc..7f5d248 100644
--- a/.gitattributes
+++ b/.gitattributes
@@ -1,9 +1,10 @@
 # Exclude from Composer dist tarballs.
-/.github           export-ignore
-/.gitattributes    export-ignore
-/.gitignore        export-ignore
-/.phpunit.cache    export-ignore
-/Examples          export-ignore
-/docs              export-ignore
-/tests             export-ignore
-/phpunit.xml.dist  export-ignore
+/.github                  export-ignore
+/.gitattributes           export-ignore
+/.gitignore               export-ignore
+/.php-cs-fixer.dist.php   export-ignore
+/.phpunit.cache           export-ignore
+/docs                     export-ignore
+/phpstan.neon.dist        export-ignore
+/phpunit.xml.dist         export-ignore
+/tests                    export-ignore
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 66354ae..b823b6a 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -19,6 +19,40 @@ jobs:
           tools: composer:v2
       - run: composer validate --strict
 
+  cs:
+    name: PHP-CS-Fixer
+    runs-on: ubuntu-latest
+    needs: validate
+    steps:
+      - uses: actions/checkout@v4
+      - uses: shivammathur/setup-php@v2
+        with:
+          php-version: "8.2"
+          extensions: ctype, mbstring, iconv
+          coverage: none
+          tools: composer:v2
+      - name: Install dependencies
+        run: composer install --prefer-dist --no-progress --no-interaction
+      - name: Check coding standards
+        run: composer cs-check
+
+  stan:
+    name: PHPStan
+    runs-on: ubuntu-latest
+    needs: validate
+    steps:
+      - uses: actions/checkout@v4
+      - uses: shivammathur/setup-php@v2
+        with:
+          php-version: "8.2"
+          extensions: ctype, mbstring, iconv
+          coverage: none
+          tools: composer:v2
+      - name: Install dependencies
+        run: composer install --prefer-dist --no-progress --no-interaction
+      - name: Run PHPStan
+        run: composer stan
+
   tests:
     name: PHPUnit (PHP ${{ matrix.php }})
     runs-on: ubuntu-latest
diff --git a/.gitignore b/.gitignore
index 359db29..8bb648c 100644
--- a/.gitignore
+++ b/.gitignore
@@ -6,3 +6,4 @@
 /build/
 /.phpunit.cache/
 /.phpunit.result.cache
+/.php-cs-fixer.cache
diff --git a/.php-cs-fixer.dist.php b/.php-cs-fixer.dist.php
new file mode 100644
index 0000000..7deb8da
--- /dev/null
+++ b/.php-cs-fixer.dist.php
@@ -0,0 +1,32 @@
+<?php
+
+declare(strict_types=1);
+
+$finder = PhpCsFixer\Finder::create()
+    ->in([__DIR__ . '/src', __DIR__ . '/tests'])
+    ->name('*.php');
+
+return (new PhpCsFixer\Config())
+    ->setRiskyAllowed(true)
+    ->setRules([
+        '@PSR12'                 => true,
+        '@PSR12:risky'           => true,
+        '@PHP74Migration'        => true,
+        '@PHP74Migration:risky'  => true,
+        'array_syntax'           => ['syntax' => 'short'],
+        'declare_strict_types'   => true,
+        'native_function_invocation' => [
+            'include' => ['@compiler_optimized'],
+            'scope'   => 'namespaced',
+            'strict'  => true,
+        ],
+        'no_unused_imports'      => true,
+        'ordered_imports'        => [
+            'imports_order'  => ['class', 'function', 'const'],
+            'sort_algorithm' => 'alpha',
+        ],
+        'single_quote'           => true,
+        'trailing_comma_in_multiline' => ['elements' => ['arrays']],
+    ])
+    ->setFinder($finder)
+    ->setCacheFile(__DIR__ . '/build/php-cs-fixer.cache');
diff --git a/Examples/Attr.php b/Examples/Attr.php
deleted file mode 100644
index 1d5e62d..0000000
--- a/Examples/Attr.php
+++ /dev/null
@@ -1,23 +0,0 @@
-<?php
-require_once "../vendor/autoload.php";
-use \InitPHP\Escaper\Esc;
-
-$input = 'faketitle onmouseover=alert(/InitPHP!/);';
-?>
-<!DOCTYPE html>
-<html>
-<head>
-    <title>Quoteless Attribute</title>
-    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
-</head>
-<body>
-<div>
-    <?php
-    // <span title=faketitle&#x20;onmouseover&#x3D;alert&#x28;&#x2F;InitPHP&#x21;&#x2F;&#x29;&#x3B;>
-    ?>
-    <span title=<?php echo Esc::esc($input, 'attr'); ?>>
-            Hello World
-    </span>
-</div>
-</body>
-</html>
\ No newline at end of file
diff --git a/Examples/Css.php b/Examples/Css.php
deleted file mode 100644
index bf5443e..0000000
--- a/Examples/Css.php
+++ /dev/null
@@ -1,28 +0,0 @@
-<?php
-require_once "../vendor/autoload.php";
-use \InitPHP\Escaper\Esc;
-
-$input = <<<INPUT
-body {
-    background-image: url('http://example.com/bar.jpg?</style><script>alert(13)</script>');
-}
-INPUT;
-?>
-<!DOCTYPE html>
-<html xmlns="http://www.w3.org/1999/xhtml">
-<head>
-    <title>Escaped CSS</title>
-    <meta charset="UTF-8"/>
-    <style>
-        <?php
-        /**
-        * body\20 \7B \D \A \20 \20 \20 \20 background\2D image\3A \20 url\28 \27 http\3A \2F \2F example\2E com\2F bar\2E jpg\3F \3C \2F style\3E \3C script\3E alert\28 13\29 \3C \2F script\3E \27 \29 \3B \D \A \7D
-        */
-        echo Esc::esc($input, 'css');
-        ?>
-    </style>
-</head>
-<body>
-<p>User controlled CSS needs to be properly escaped!</p>
-</body>
-</html>
\ No newline at end of file
diff --git a/Examples/Html.php b/Examples/Html.php
deleted file mode 100644
index be8bad7..0000000
--- a/Examples/Html.php
+++ /dev/null
@@ -1,20 +0,0 @@
-<?php
-require_once "../vendor/autoload.php";
-use \InitPHP\Escaper\Esc;
-?>
-<!DOCTYPE html>
-<html>
-<head>
-    <title>Encodings set correctly!</title>
-    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
-</head>
-<body>
-<?php
-
-$input = '<script>alert("initphp")</script>';
-
-// &lt;script&gt;alert(&quot;initphp&quot;)&lt;/script&gt;
-echo Esc::esc($input, 'html');
-
-?>
-</body></html>
\ No newline at end of file
diff --git a/Examples/Js.php b/Examples/Js.php
deleted file mode 100644
index 6156d03..0000000
--- a/Examples/Js.php
+++ /dev/null
@@ -1,24 +0,0 @@
-<?php
-require_once "../vendor/autoload.php";
-use InitPHP\Escaper\Esc;
-
-$input = 'bar&quot;; alert(&quot;Hello!&quot;); var xss=&quot;true';
-?>
-<!DOCTYPE html>
-<html xmlns="http://www.w3.org/1999/xhtml">
-<head>
-    <title>Escaped Entities</title>
-    <meta charset="UTF-8"/>
-    <script type="text/javascript">
-        <?php
-        /**
-         * var foo = bar\x26quot\x3B\x3B\x20alert\x28\x26quot\x3BHello\x21\x26quot\x3B\x29\x3B\x20var\x20xss\x3D\x26quot\x3Btrue;
-         */
-        ?>
-        var foo = <?php echo Esc::esc($input, 'js'); ?>;
-    </script>
-</head>
-<body>
-<p>Hello World</p>
-</body>
-</html>
\ No newline at end of file
diff --git a/Examples/Url.php b/Examples/Url.php
deleted file mode 100644
index e8654a2..0000000
--- a/Examples/Url.php
+++ /dev/null
@@ -1,21 +0,0 @@
-<?php
-require_once "../vendor/autoload.php";
-use \InitPHP\Escaper\Esc;
-
-$query = <<<QUERY
-" onmouseover="alert('hello')
-QUERY;
-?>
-<!DOCTYPE html>
-<html xmlns="http://www.w3.org/1999/xhtml">
-<head>
-    <title>Unescaped URL data</title>
-    <meta charset="UTF-8"/>
-</head>
-<body>
-<?php
-// http://example.com/?query=%22%20onmouseover%3D%22alert%28%27hello%27%29
-?>
-<a href="http://example.com/?query=<?php echo Esc::esc($query, 'url'); ?>">Click here!</a>
-</body>
-</html>
\ No newline at end of file
diff --git a/README.md b/README.md
index 062595a..92d5c6c 100644
--- a/README.md
+++ b/README.md
@@ -132,9 +132,18 @@ A typical loop is:
 git clone https://github.com/InitPHP/Escaper.git
 cd Escaper
 composer install
-composer test
+composer ci          # cs-check + phpstan + phpunit
 ```
 
+Individual steps are also available:
+
+| Command            | What it does                                |
+| ------------------ | ------------------------------------------- |
+| `composer test`    | Run PHPUnit                                 |
+| `composer stan`    | Run PHPStan (max level)                     |
+| `composer cs-check`| Report PHP-CS-Fixer violations, no changes  |
+| `composer cs-fix`  | Apply PHP-CS-Fixer changes                  |
+
 ## Security
 
 If you discover a security issue, please follow the disclosure process
diff --git a/composer.json b/composer.json
index ef46f80..95398af 100644
--- a/composer.json
+++ b/composer.json
@@ -34,7 +34,9 @@
         "ext-mbstring": "*"
     },
     "require-dev": {
-        "phpunit/phpunit": "^9.6 || ^10.5 || ^11.5"
+        "phpunit/phpunit": "^9.6 || ^10.5 || ^11.5",
+        "phpstan/phpstan": "^1.12 || ^2.1",
+        "friendsofphp/php-cs-fixer": "^3.65"
     },
     "suggest": {
         "ext-iconv": "Preferred for encoding conversion; iconv is tried before mbstring."
@@ -51,7 +53,23 @@
     },
     "scripts": {
         "test": "phpunit",
-        "test-coverage": "phpunit --coverage-html build/coverage"
+        "test-coverage": "phpunit --coverage-html build/coverage",
+        "stan": "phpstan analyse --no-progress",
+        "cs-check": "php-cs-fixer fix --dry-run --diff",
+        "cs-fix": "php-cs-fixer fix",
+        "ci": [
+            "@cs-check",
+            "@stan",
+            "@test"
+        ]
+    },
+    "scripts-descriptions": {
+        "test": "Run the PHPUnit test suite.",
+        "test-coverage": "Run PHPUnit and produce an HTML coverage report under build/coverage.",
+        "stan": "Run PHPStan at the level configured in phpstan.neon.dist.",
+        "cs-check": "Report any PHP-CS-Fixer violations without modifying files.",
+        "cs-fix": "Apply PHP-CS-Fixer fixes in-place.",
+        "ci": "Run the full CI bundle locally: cs-check, stan, test."
     },
     "minimum-stability": "stable"
 }
diff --git a/phpstan.neon.dist b/phpstan.neon.dist
new file mode 100644
index 0000000..5b7f9e5
--- /dev/null
+++ b/phpstan.neon.dist
@@ -0,0 +1,6 @@
+parameters:
+    level: max
+    paths:
+        - src
+        - tests
+    tmpDir: build/phpstan
diff --git a/src/Esc.php b/src/Esc.php
index 7dc0cb7..199d76d 100644
--- a/src/Esc.php
+++ b/src/Esc.php
@@ -15,8 +15,6 @@
 
 use InitPHP\Escaper\Exception\InvalidContextException;
 
-use function is_array;
-use function is_string;
 use function strtolower;
 
 /**
@@ -54,21 +52,26 @@ class Esc
      * Escape a string — or every string inside an array — for the given
      * output context.
      *
-     * Non-string scalars and objects inside an array are returned unchanged.
-     * For a top-level non-string, non-array value the input is returned as-is.
+     * Behaviour by input type:
+     * - **string** — escaped according to `$context` and returned.
+     * - **array** — every element is escaped recursively. Keys are not
+     *   touched; non-string, non-array elements are returned unchanged.
+     * - **anything else** — returned as-is.
      *
-     * @param array<array-key, mixed>|string $data     The value to escape.
-     * @param string                         $context  One of: html, attr, js, css, url, raw.
-     *                                                 Lookup is case-insensitive.
-     * @param string|null                    $encoding Output encoding; null uses UTF-8.
+     * @param mixed       $data     The value to escape.
+     * @param string      $context  One of `html`, `attr`, `js`, `css`,
+     *                              `url`, `raw`. Lookup is case-insensitive.
+     *                              The empty string is treated like `raw`.
+     * @param string|null $encoding Output encoding; null resolves to UTF-8.
      *
-     * @return array<array-key, mixed>|string
+     * @return mixed The escaped value, or the original value unchanged for
+     *               unsupported types and `raw`/empty contexts.
      *
-     * @throws InvalidContextException When $context is not a recognised name.
+     * @throws InvalidContextException When `$context` is not a recognised name.
      */
     public static function esc($data, string $context = 'html', ?string $encoding = null)
     {
-        if (is_array($data)) {
+        if (\is_array($data)) {
             foreach ($data as &$value) {
                 $value = self::esc($value, $context, $encoding);
             }
@@ -77,7 +80,7 @@ public static function esc($data, string $context = 'html', ?string $encoding =
             return $data;
         }
 
-        if (!is_string($data)) {
+        if (!\is_string($data)) {
             return $data;
         }
 
@@ -88,7 +91,7 @@ public static function esc($data, string $context = 'html', ?string $encoding =
 
         if (!isset(self::CONTEXT_METHODS[$context])) {
             throw new InvalidContextException(
-                sprintf('Invalid escape context "%s".', $context)
+                \sprintf('Invalid escape context "%s".', $context)
             );
         }
 
diff --git a/src/Escaper.php b/src/Escaper.php
index 50b3a6f..15af53d 100644
--- a/src/Escaper.php
+++ b/src/Escaper.php
@@ -19,18 +19,13 @@
 
 use function bin2hex;
 use function ctype_digit;
-use function function_exists;
 use function hexdec;
 use function htmlspecialchars;
 use function iconv;
-use function in_array;
 use function mb_convert_encoding;
-use function ord;
 use function preg_match;
 use function preg_replace_callback;
 use function rawurlencode;
-use function sprintf;
-use function strlen;
 use function strtolower;
 use function strtoupper;
 use function substr;
@@ -138,9 +133,9 @@ public function __construct(?string $encoding = null)
     {
         if ($encoding !== null && $encoding !== '') {
             $encoding = strtolower($encoding);
-            if (!in_array($encoding, self::SUPPORTED_ENCODINGS, true)) {
+            if (!\in_array($encoding, self::SUPPORTED_ENCODINGS, true)) {
                 throw new EncodingNotSupportedException(
-                    sprintf('Encoding "%s" is not supported.', $encoding)
+                    \sprintf('Encoding "%s" is not supported.', $encoding)
                 );
             }
             $this->encoding = $encoding;
@@ -260,7 +255,7 @@ public function escCss(string $str): string
     protected function htmlAttrMatcher(array $matches): string
     {
         $chr = $matches[0];
-        if (strlen($chr) > 1) {
+        if (\strlen($chr) > 1) {
             $chr = $this->convertEncoding($chr, 'UTF-32BE', 'UTF-8');
         }
 
@@ -282,10 +277,10 @@ protected function htmlAttrMatcher(array $matches): string
         }
 
         if ($ord > 255) {
-            return sprintf('&#x%04X;', $ord);
+            return \sprintf('&#x%04X;', $ord);
         }
 
-        return sprintf('&#x%02X;', $ord);
+        return \sprintf('&#x%02X;', $ord);
     }
 
     /**
@@ -297,21 +292,21 @@ protected function htmlAttrMatcher(array $matches): string
     protected function jsMatcher(array $matches): string
     {
         $chr = $matches[0];
-        if (strlen($chr) === 1) {
-            return sprintf('\\x%02X', ord($chr));
+        if (\strlen($chr) === 1) {
+            return \sprintf('\\x%02X', \ord($chr));
         }
 
         $chr = $this->convertEncoding($chr, 'UTF-16BE', 'UTF-8');
         $hex = strtoupper(bin2hex($chr));
 
-        if (strlen($hex) <= 4) {
-            return sprintf('\\u%04s', $hex);
+        if (\strlen($hex) <= 4) {
+            return \sprintf('\\u%04s', $hex);
         }
 
         $highSurrogate = substr($hex, 0, 4);
         $lowSurrogate  = substr($hex, 4, 4);
 
-        return sprintf('\\u%04s\\u%04s', $highSurrogate, $lowSurrogate);
+        return \sprintf('\\u%04s\\u%04s', $highSurrogate, $lowSurrogate);
     }
 
     /**
@@ -323,14 +318,14 @@ protected function jsMatcher(array $matches): string
     protected function cssMatcher(array $matches): string
     {
         $chr = $matches[0];
-        if (strlen($chr) === 1) {
-            $ord = ord($chr);
+        if (\strlen($chr) === 1) {
+            $ord = \ord($chr);
         } else {
             $chr = $this->convertEncoding($chr, 'UTF-32BE', 'UTF-8');
             $ord = (int) hexdec(bin2hex($chr));
         }
 
-        return sprintf('\\%X ', $ord);
+        return \sprintf('\\%X ', $ord);
     }
 
     /**
@@ -392,9 +387,9 @@ protected function isUtf8(string $str): bool
      */
     protected function convertEncoding(string $str, string $to, string $from): string
     {
-        if (function_exists('iconv')) {
+        if (\function_exists('iconv')) {
             $result = @iconv($from, $to, $str);
-        } elseif (function_exists('mb_convert_encoding')) {
+        } elseif (\function_exists('mb_convert_encoding')) {
             $result = @mb_convert_encoding($str, $to, $from);
         } else {
             throw new EncodingConversionException(
@@ -404,7 +399,7 @@ protected function convertEncoding(string $str, string $to, string $from): strin
 
         if ($result === false) {
             throw new EncodingConversionException(
-                sprintf('Failed to convert string from "%s" to "%s".', $from, $to)
+                \sprintf('Failed to convert string from "%s" to "%s".', $from, $to)
             );
         }
 
diff --git a/tests/EscTest.php b/tests/EscTest.php
index 656b768..d398d4e 100644
--- a/tests/EscTest.php
+++ b/tests/EscTest.php
@@ -27,11 +27,11 @@ public function testHtmlContextIsDefault(): void
 
     public function testEachContextDispatchesToTheCorrectEscaper(): void
     {
-        self::assertSame('&lt;b&gt;', Esc::esc('<b>',  'html'));
-        self::assertSame('&lt;',      Esc::esc('<',    'attr'));
-        self::assertSame('\\x3C',     Esc::esc('<',    'js'));
-        self::assertSame('\\3C ',     Esc::esc('<',    'css'));
-        self::assertSame('%3C',       Esc::esc('<',    'url'));
+        self::assertSame('&lt;b&gt;', Esc::esc('<b>', 'html'));
+        self::assertSame('&lt;', Esc::esc('<', 'attr'));
+        self::assertSame('\\x3C', Esc::esc('<', 'js'));
+        self::assertSame('\\3C ', Esc::esc('<', 'css'));
+        self::assertSame('%3C', Esc::esc('<', 'url'));
     }
 
     public function testContextLookupIsCaseInsensitive(): void
@@ -76,8 +76,8 @@ public function testArrayIsEscapedRecursively(): void
 
     public function testNonStringNonArrayValuesArePassedThrough(): void
     {
-        self::assertSame(42,    Esc::esc(42));
-        self::assertSame(3.14,  Esc::esc(3.14));
+        self::assertSame(42, Esc::esc(42));
+        self::assertSame(3.14, Esc::esc(3.14));
         self::assertTrue(Esc::esc(true));
         self::assertNull(Esc::esc(null));
 
@@ -138,8 +138,8 @@ public function testDifferentEncodingsAreCachedIndependently(): void
         $instances = $property->getValue();
 
         self::assertCount(3, $instances);
-        self::assertArrayHasKey('utf-8',        $instances);
-        self::assertArrayHasKey('iso-8859-1',   $instances);
+        self::assertArrayHasKey('utf-8', $instances);
+        self::assertArrayHasKey('iso-8859-1', $instances);
         self::assertArrayHasKey('windows-1252', $instances);
     }
 
diff --git a/tests/EscaperEncodingTest.php b/tests/EscaperEncodingTest.php
index 60ae31e..f39502d 100644
--- a/tests/EscaperEncodingTest.php
+++ b/tests/EscaperEncodingTest.php
@@ -29,9 +29,9 @@ public function testEmptyStringEncodingResolvesToUtf8(): void
 
     public function testEncodingLookupIsCaseInsensitive(): void
     {
-        self::assertSame('utf-8',        (new Escaper('UTF-8'))->getEncoding());
+        self::assertSame('utf-8', (new Escaper('UTF-8'))->getEncoding());
         self::assertSame('windows-1252', (new Escaper('Windows-1252'))->getEncoding());
-        self::assertSame('iso-8859-1',   (new Escaper('ISO-8859-1'))->getEncoding());
+        self::assertSame('iso-8859-1', (new Escaper('ISO-8859-1'))->getEncoding());
     }
 
     public function testUnsupportedEncodingThrows(): void
diff --git a/tests/EscaperHtmlAttrTest.php b/tests/EscaperHtmlAttrTest.php
index 831d2f2..721af03 100644
--- a/tests/EscaperHtmlAttrTest.php
+++ b/tests/EscaperHtmlAttrTest.php
@@ -47,9 +47,9 @@ public function testQuotelessAttributeInjectionVector(): void
     public function testNamedEntitiesPreferredOverNumericForms(): void
     {
         self::assertSame('&quot;', $this->escaper->escHtmlAttr('"'));
-        self::assertSame('&amp;',  $this->escaper->escHtmlAttr('&'));
-        self::assertSame('&lt;',   $this->escaper->escHtmlAttr('<'));
-        self::assertSame('&gt;',   $this->escaper->escHtmlAttr('>'));
+        self::assertSame('&amp;', $this->escaper->escHtmlAttr('&'));
+        self::assertSame('&lt;', $this->escaper->escHtmlAttr('<'));
+        self::assertSame('&gt;', $this->escaper->escHtmlAttr('>'));
     }
 
     public function testControlCharactersBecomeReplacementCharacter(): void
diff --git a/tests/ExceptionHierarchyTest.php b/tests/ExceptionHierarchyTest.php
index 3dc3fe9..dac7936 100644
--- a/tests/ExceptionHierarchyTest.php
+++ b/tests/ExceptionHierarchyTest.php
@@ -10,36 +10,51 @@
 use InitPHP\Escaper\Exception\InvalidContextException;
 use InitPHP\Escaper\Exception\InvalidUtf8Exception;
 use PHPUnit\Framework\TestCase;
+use ReflectionClass;
 use RuntimeException;
 
 /**
  * Locks the package exception tree in place so a future refactor that
  * accidentally re-parents an exception fails loudly.
+ *
+ * Uses reflection rather than `is_subclass_of()` so the assertions look at
+ * the *immediate* parent of each exception, not just somewhere in the chain.
  */
 final class ExceptionHierarchyTest extends TestCase
 {
     public function testBaseExtendsRuntimeException(): void
     {
-        self::assertTrue(is_subclass_of(EscaperException::class, RuntimeException::class));
+        self::assertSame(RuntimeException::class, self::parentOf(EscaperException::class));
     }
 
     public function testEncodingNotSupportedExtendsBase(): void
     {
-        self::assertTrue(is_subclass_of(EncodingNotSupportedException::class, EscaperException::class));
+        self::assertSame(EscaperException::class, self::parentOf(EncodingNotSupportedException::class));
     }
 
     public function testEncodingConversionExtendsBase(): void
     {
-        self::assertTrue(is_subclass_of(EncodingConversionException::class, EscaperException::class));
+        self::assertSame(EscaperException::class, self::parentOf(EncodingConversionException::class));
     }
 
     public function testInvalidContextExtendsBase(): void
     {
-        self::assertTrue(is_subclass_of(InvalidContextException::class, EscaperException::class));
+        self::assertSame(EscaperException::class, self::parentOf(InvalidContextException::class));
     }
 
     public function testInvalidUtf8ExtendsBase(): void
     {
-        self::assertTrue(is_subclass_of(InvalidUtf8Exception::class, EscaperException::class));
+        self::assertSame(EscaperException::class, self::parentOf(InvalidUtf8Exception::class));
+    }
+
+    /**
+     * @param class-string $class
+     */
+    private static function parentOf(string $class): string
+    {
+        $parent = (new ReflectionClass($class))->getParentClass();
+        self::assertNotFalse($parent, \sprintf('Class "%s" must have a parent.', $class));
+
+        return $parent->getName();
     }
 }

From b239780399d7b1cb187de53de17978685f2d15dc Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Muhammet=20=C5=9Eafak?= <info@muhammetsafak.com.tr>
Date: Mon, 25 May 2026 09:00:41 +0300
Subject: [PATCH 3/4] Update CI for "*.x" branches, PHP matrix, dependencies,
 Codecov, CHANGELOG

---
 .github/workflows/ci.yml |  30 +++++++--
 CHANGELOG.md             |  85 ++++++++++++++++++++++++
 README.md                |   1 +
 UPGRADE-2.0.md           | 140 +++++++++++++++++++++++++++++++++++++++
 composer.json            |   8 ++-
 5 files changed, 257 insertions(+), 7 deletions(-)
 create mode 100644 CHANGELOG.md
 create mode 100644 UPGRADE-2.0.md

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index b823b6a..fefbebf 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -2,9 +2,9 @@ name: CI
 
 on:
   push:
-    branches: [main]
+    branches: [main, "*.x"]
   pull_request:
-    branches: [main]
+    branches: [main, "*.x"]
 
 jobs:
   validate:
@@ -54,13 +54,19 @@ jobs:
         run: composer stan
 
   tests:
-    name: PHPUnit (PHP ${{ matrix.php }})
+    name: PHPUnit (PHP ${{ matrix.php }}, ${{ matrix.deps }})
     runs-on: ubuntu-latest
     needs: validate
     strategy:
       fail-fast: false
       matrix:
         php: ["7.4", "8.0", "8.1", "8.2", "8.3", "8.4"]
+        deps: ["highest"]
+        include:
+          - php: "7.4"
+            deps: "lowest"
+          - php: "8.4"
+            deps: "lowest"
     steps:
       - uses: actions/checkout@v4
 
@@ -83,12 +89,17 @@ jobs:
         uses: actions/cache@v4
         with:
           path: ${{ steps.composer-cache.outputs.dir }}
-          key: composer-${{ matrix.php }}-${{ hashFiles('**/composer.json') }}
-          restore-keys: composer-${{ matrix.php }}-
+          key: composer-${{ matrix.php }}-${{ matrix.deps }}-${{ hashFiles('**/composer.json') }}
+          restore-keys: composer-${{ matrix.php }}-${{ matrix.deps }}-
 
-      - name: Install dependencies
+      - name: Install highest dependencies
+        if: matrix.deps == 'highest'
         run: composer update --prefer-dist --no-progress --no-interaction
 
+      - name: Install lowest dependencies
+        if: matrix.deps == 'lowest'
+        run: composer update --prefer-dist --no-progress --no-interaction --prefer-lowest --prefer-stable
+
       - name: Run PHPUnit
         run: vendor/bin/phpunit
 
@@ -119,3 +130,10 @@ jobs:
           name: coverage-clover
           path: coverage.xml
           retention-days: 14
+
+      - name: Upload coverage to Codecov
+        uses: codecov/codecov-action@v5
+        with:
+          files: ./coverage.xml
+          flags: phpunit
+          fail_ci_if_error: false
diff --git a/CHANGELOG.md b/CHANGELOG.md
new file mode 100644
index 0000000..3ad7245
--- /dev/null
+++ b/CHANGELOG.md
@@ -0,0 +1,85 @@
+# Changelog
+
+All notable changes to `initphp/escaper` are documented here.
+
+The format follows [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
+and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+## [Unreleased]
+
+## [2.0.0]
+
+A reliability- and correctness-focused major release. Several bug fixes
+in this release are visible from the outside, so the version bump is
+necessary even though the public surface is unchanged. See
+[`UPGRADE-2.0.md`](./UPGRADE-2.0.md) for a step-by-step migration guide.
+
+### Added
+
+- Dedicated exception hierarchy under `InitPHP\Escaper\Exception\`:
+  `EscaperException` (base, extends `\RuntimeException`),
+  `EncodingNotSupportedException`, `EncodingConversionException`,
+  `InvalidContextException`, `InvalidUtf8Exception`.
+- Full PHPUnit test suite under `tests/` (62 tests, 100 assertions,
+  ~91% line coverage).
+- GitHub Actions CI: `composer validate`, PHP-CS-Fixer, PHPStan (max),
+  PHPUnit on PHP 7.4 – 8.4, coverage upload.
+- PHPStan configuration at the `max` level with zero reported issues.
+- PHP-CS-Fixer configuration based on `@PSR12` and
+  `@PHP74Migration` rule sets.
+- Developer documentation under `docs/` covering each escape context,
+  encoding handling, exceptions and security notes.
+- `Esc::reset()` helper to clear the memoised `Escaper` cache (used by
+  tests; useful when the calling code wants to drop cached instances).
+- `composer.json` scripts: `test`, `test-coverage`, `stan`, `cs-check`,
+  `cs-fix`, `ci`.
+
+### Changed
+
+- **`Esc::esc()` recursion** now propagates `$encoding` into recursive
+  calls. Previously the encoding was dropped on every inner call,
+  silently defaulting to UTF-8 for nested arrays.
+- **`Esc::esc()` instance cache** is now keyed by encoding. The previous
+  cache compared `$escaper->getEncoding()` (`'utf-8'`) against the raw
+  `$encoding` argument (often `null`), so the cache rebuilt on every
+  default call.
+- **`Escaper` constructor** raises `EncodingNotSupportedException`
+  instead of `\Exception`. (Still catchable via `\Exception` /
+  `\RuntimeException`.)
+- **`HTML attribute` matcher** evaluates the C0/C1 control-character
+  check against the decoded code point, so `U+0080`–`U+009F` are now
+  correctly replaced with `U+FFFD` when they arrive in multibyte UTF-8
+  form. Previously only single-byte controls were caught.
+- **`composer.json`** now requires `ext-mbstring`. `ext-iconv` remains
+  optional and is preferred when present (`suggest` entry added).
+- **PHPDoc blocks** rewritten across the package to reflect the actual
+  code behaviour.
+
+### Fixed
+
+- **Silent data loss on encoding-conversion failure.** When `iconv` /
+  `mb_convert_encoding` returned `false`, `Escaper::convertEncoding()`
+  previously returned an empty string and let it propagate, masking
+  real failures. It now raises `EncodingConversionException`.
+- **`isUtf8()`** uses explicit `=== 1` comparison against
+  `preg_match()` instead of relying on PHP's loose type coercion in a
+  `bool` return.
+- **Misleading error message** in `convertEncoding()`: the "MB_String
+  plugin is required" text appeared even when iconv was tried first.
+  Replaced with "Either ext-iconv or ext-mbstring is required".
+- **Unused callable properties** (`$htmlAttrMatcher`, `$jsMatcher`,
+  `$cssMatcher`) removed. The matchers are now passed inline to
+  `preg_replace_callback`.
+
+### Removed
+
+- **`Examples/`** directory removed. The same scenarios are documented
+  under [`docs/`](./docs) with verified output for each example.
+
+## [1.0]
+
+Initial release.
+
+[Unreleased]: https://github.com/InitPHP/Escaper/compare/2.0.0...HEAD
+[2.0.0]: https://github.com/InitPHP/Escaper/compare/1.0...2.0.0
+[1.0]: https://github.com/InitPHP/Escaper/releases/tag/1.0
diff --git a/README.md b/README.md
index 92d5c6c..6133c91 100644
--- a/README.md
+++ b/README.md
@@ -6,6 +6,7 @@ HTML, HTML attributes, JavaScript, CSS and URLs.
 [![Latest Stable Version](https://poser.pugx.org/initphp/escaper/v)](https://packagist.org/packages/initphp/escaper)
 [![PHP Version Require](https://poser.pugx.org/initphp/escaper/require/php)](https://packagist.org/packages/initphp/escaper)
 [![CI](https://github.com/InitPHP/Escaper/actions/workflows/ci.yml/badge.svg)](https://github.com/InitPHP/Escaper/actions/workflows/ci.yml)
+[![codecov](https://codecov.io/gh/InitPHP/Escaper/branch/main/graph/badge.svg)](https://codecov.io/gh/InitPHP/Escaper)
 [![License](https://poser.pugx.org/initphp/escaper/license)](https://packagist.org/packages/initphp/escaper)
 [![Total Downloads](https://poser.pugx.org/initphp/escaper/downloads)](https://packagist.org/packages/initphp/escaper)
 
diff --git a/UPGRADE-2.0.md b/UPGRADE-2.0.md
new file mode 100644
index 0000000..891a1ed
--- /dev/null
+++ b/UPGRADE-2.0.md
@@ -0,0 +1,140 @@
+# Upgrading from 1.x to 2.0
+
+`initphp/escaper` 2.0 is a correctness release. The public API surface
+is unchanged — every 1.x method still exists with the same signature.
+What changed is **how the escaper signals failure** and **what happens
+in a few edge cases that were latent bugs in 1.x**.
+
+If your 1.x code only calls `Esc::esc()` or `Escaper::escHtml()` etc.
+in the happy path, you should be able to upgrade without code changes.
+The notes below cover the cases where you may need to act.
+
+## 1. New `composer require`: `ext-mbstring`
+
+`composer.json` now declares `ext-mbstring` as a hard requirement
+(`ext-iconv` remains optional but is preferred when present). If your
+production image does not bundle mbstring you must add it:
+
+```Dockerfile
+RUN docker-php-ext-install mbstring
+```
+
+Or on a Debian/Ubuntu host:
+
+```bash
+apt-get install -y php-mbstring
+```
+
+## 2. Replace `catch (\Exception $e)` blocks (recommended)
+
+1.x threw a plain `\Exception`. 2.x ships a dedicated exception tree.
+Your existing `\Exception` (or `\Throwable`) catches still work because
+the new exceptions extend `\RuntimeException`, but you can now be
+specific:
+
+```diff
+ use InitPHP\Escaper\Esc;
++use InitPHP\Escaper\Exception\EscaperException;
+
+ try {
+     echo Esc::esc($value, 'attr');
+-} catch (\Exception $e) {
++} catch (EscaperException $e) {
+     // …
+ }
+```
+
+The full tree:
+
+```
+\RuntimeException
+    └─ InitPHP\Escaper\Exception\EscaperException
+        ├─ EncodingNotSupportedException     // unsupported encoding constructor arg
+        ├─ EncodingConversionException       // iconv/mbstring failure (NEW behaviour, see §3)
+        ├─ InvalidContextException           // unknown context passed to Esc::esc()
+        └─ InvalidUtf8Exception               // input is not / cannot be UTF-8
+```
+
+## 3. Encoding-conversion failure now throws (behavioural break)
+
+In 1.x, if `iconv` / `mb_convert_encoding` returned `false`, the
+escaper silently substituted an empty string and returned it. That
+silently destroyed data. 2.x raises `EncodingConversionException`
+instead.
+
+If you rely on the old "empty string on failure" behaviour, add an
+explicit `try`/`catch`:
+
+```php
+try {
+    $safe = $escaper->escHtmlAttr($value);
+} catch (EncodingConversionException $e) {
+    $safe = '';
+}
+```
+
+Most callers will want the exception. If you were silently corrupting
+output before, you will now see the error.
+
+## 4. `Esc::esc()` on arrays now keeps the `$encoding` argument
+
+This is a bug fix. In 1.x, `Esc::esc(['x' => $v], 'html',
+'iso-8859-1')` recursed into the array and called itself **without
+the encoding**, so every nested value escaped as UTF-8 regardless of
+the third argument. 2.x propagates the encoding correctly.
+
+If you were depending on the bug (i.e. you passed an encoding but
+expected UTF-8 for nested values), drop the encoding argument:
+
+```diff
+-Esc::esc($payload, 'html', 'iso-8859-1');
++Esc::esc($payload, 'html');
+```
+
+## 5. C1 control characters in multibyte UTF-8
+
+`escHtmlAttr` always replaced single-byte C0/C1 controls with the
+Unicode replacement character (`U+FFFD`). In 1.x the replacement only
+fired against the **first byte** of a multibyte sequence, so
+`U+0080`–`U+009F` in their proper 2-byte UTF-8 form (`\xC2\x80` …
+`\xC2\x9F`) survived as numeric character references (`&#x80;` …
+`&#x9F;`) instead of being replaced.
+
+2.x catches both forms. The output for those exact code points
+changed from `&#x80;` etc. to `&#xFFFD;`. Both are XSS-safe; if you
+were diffing output byte-for-byte across versions, expect this drift.
+
+## 6. `Esc::esc()` cache is now actually effective
+
+Not a BC break, but worth knowing: in 1.x the static cache rebuilt the
+`Escaper` on every call when `$encoding === null`. 2.x caches per
+encoding. No code change needed — your default-encoding calls just got
+faster.
+
+## 7. Examples directory removed
+
+The runnable PHP files under `Examples/` are gone. The same scenarios
+live under [`docs/`](./docs) with each output verified by running the
+escaper itself. If you scripted against the example file paths, point
+your tooling at `docs/` instead.
+
+## 8. Static analysis & coding-standard tooling (dev only)
+
+If you have a fork or downstream patches, note that 2.x adds:
+
+- `phpstan.neon.dist` (level `max`, zero errors)
+- `.php-cs-fixer.dist.php` (`@PSR12 + @PHP74Migration`)
+
+Your local changes should pass `composer ci` before being submitted as
+PRs.
+
+## Summary checklist
+
+- [ ] `ext-mbstring` available in every environment.
+- [ ] `catch (\Exception)` → `catch (EscaperException)` (optional).
+- [ ] Handle `EncodingConversionException` if you used to rely on the
+      silent empty-string fallback.
+- [ ] Drop redundant `$encoding` arguments that depended on the
+      recursion bug.
+- [ ] Re-run any byte-for-byte output snapshots that include the
+      `U+0080`–`U+009F` range.
diff --git a/composer.json b/composer.json
index 95398af..663399d 100644
--- a/composer.json
+++ b/composer.json
@@ -71,5 +71,11 @@
         "cs-fix": "Apply PHP-CS-Fixer fixes in-place.",
         "ci": "Run the full CI bundle locally: cs-check, stan, test."
     },
-    "minimum-stability": "stable"
+    "minimum-stability": "stable",
+    "extra": {
+        "branch-alias": {
+            "dev-2.x": "2.0.x-dev",
+            "dev-main": "2.0.x-dev"
+        }
+    }
 }

From d78ed95881d899f43f72b0c93a8ce2b046e141c6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Muhammet=20=C5=9Eafak?= <info@muhammetsafak.com.tr>
Date: Mon, 25 May 2026 09:20:44 +0300
Subject: [PATCH 4/4] Add Windows-1252 encoding round trips in
 EscaperEncodingTest

---
 tests/EscaperEncodingTest.php | 36 +++++++++++++++++++++++++++++++++++
 1 file changed, 36 insertions(+)

diff --git a/tests/EscaperEncodingTest.php b/tests/EscaperEncodingTest.php
index f39502d..9aaf639 100644
--- a/tests/EscaperEncodingTest.php
+++ b/tests/EscaperEncodingTest.php
@@ -5,6 +5,7 @@
 namespace InitPHP\Escaper\Tests;
 
 use InitPHP\Escaper\Escaper;
+use InitPHP\Escaper\Exception\EncodingConversionException;
 use InitPHP\Escaper\Exception\EncodingNotSupportedException;
 use InitPHP\Escaper\Exception\EscaperException;
 use InitPHP\Escaper\Exception\InvalidUtf8Exception;
@@ -73,4 +74,39 @@ public function testInvalidUtf8InAttributeContextThrows(): void
         // 0xC3 0x28 is a broken 2-byte sequence.
         (new Escaper())->escHtmlAttr("\xC3\x28");
     }
+
+    public function testWindows1252RoundTripThroughAttributeContext(): void
+    {
+        $escaper = new Escaper('windows-1252');
+
+        // 0xE9 == "é" in windows-1252. It is outside the attribute whitelist
+        // so the matcher must produce a numeric entity. The output reaches
+        // the caller after a UTF-8 → windows-1252 conversion back.
+        self::assertSame('&#xE9;', $escaper->escHtmlAttr("\xE9"));
+    }
+
+    public function testWindows1252RoundTripThroughJsContext(): void
+    {
+        $escaper = new Escaper('windows-1252');
+
+        // 0xE9 == "é". In the JS context the matcher emits é.
+        self::assertSame('\\u00E9', $escaper->escJs("\xE9"));
+    }
+
+    public function testWindows1252RoundTripThroughCssContext(): void
+    {
+        $escaper = new Escaper('windows-1252');
+
+        // 0xE9 == "é". In the CSS context the matcher emits "\E9 ".
+        self::assertSame('\\E9 ', $escaper->escCss("\xE9"));
+    }
+
+    public function testForwardConversionFailureRaisesException(): void
+    {
+        $this->expectException(EncodingConversionException::class);
+        $this->expectExceptionMessage('Failed to convert string from "windows-1252" to "UTF-8".');
+
+        // 0x81 is an undefined byte in windows-1252 — iconv returns false.
+        (new Escaper('windows-1252'))->escHtmlAttr("\x81");
+    }
 }