Can ZF2 escapeHTML be used for get post data?

Question

Recently I was assigned to a project and I see this in the controller:

if ($this->getRequest()->isPost()){
        $escapar = new Escaper('utf-8');
        $consulta = $this->getRequest()->getPost();
        $nombreComercial =  $escapar->escapeHtml($consulta['nombreComercial']);
        $razonSocial=$escapar->escapeHtml($consulta['razonSocial']);
        $rfc = $escapar->escapeHtml($consulta['rfc']);
        $estado = $escapar->escapeHtml($consulta['estado']);
        $municipio = $escapar->escapeHtml($consulta['municipio']);
        $sectorprimario = $escapar->escapeHtml($consulta['sectorprimario']);
        $sectorsecundario = $escapar->escapeHtml($consulta['sectorsecundario']);
        $localidad = $escapar->escapeHtml($consulta['localidad']);
        $telefono = $escapar->escapeHtml($consulta['telefono']);
        $empresa = new Empresa($this->dbAdapter);

        $empresas = $empresa->searchEmpresas($nombreComercial, $razonSocial, $rfc, $estado, $municipio, $localidad, $sectorprimario, $sectorsecundario, $telefono, $identi->id_institucion);
        return $this->forward()->dispatch('Gestion\Controller\Cpanel', array('action' => 'searchpymes','nombreComercial'   => $nombreComercial, 'consulta'=>$empresas));

    }

Is it correct to use escapeHTML for to get the incoming data from the POST request?

Answer 1

In the documentation we can read this :

Zend\Escaper is meant to be used only for escaping data that is to be output, and as such should not be misused for filtering input data. For such tasks, the Zend\Filter component, HTMLPurifier or PHP’s Filter component should be used.

From: Zend Escaper

escapeHtml() is one of the methods provided by the Zend\Escaper, so it should be used for escaping output data.

For input data (which is your case), you might have a look at the Zend\Filter