Using different escaping methods

Most of the functions for Security measures against XSS attacks.

escapeXssInUrl() Method Remove javascript:, vbscript:, data: words from url and used like

echo $block->escapeXssInUrl($block->getUrl()) ?>"><?php echo $block->getAnchorTextHtml()

Magento 1 You can escape the quotes in javascript using $this->jsQuoteEscape ($item->getName()); Mahento 2 you can do the same using escapeJsQuote

escapeUrl() actually leverages htmlspecialchars with the recommended parameters to escape HTML: $result = htmlspecialchars($result, ENT_COMPAT, 'UTF-8', false);

You can find more information by Magento 2 official documentation.

There is a helpful entry in the DevDocs on template security: Security measures against XSS attacks

Re escapeXssInUrl: The function escapeUrl calls escapeXssInUrl internally plus escapeHtml afterwards. Also Magento uses escapeUrl internally.

Make sure to check out the new escaping functions once Magento 2.2. is out as there will be new ones coming:

The upcoming release of Magento 2.2 will deprecate these functions.

Please check back on this page after the 2.2 release for updated documentation on new escape functions.

And you might as well be interested to check out my presentation about this here: Secure input and output handling - Meet Magento Romania 2016