The second is the one I'm trying to address, wherein data that belongs in a JS parsing context may (coincidentally) contain HTML parsable data. For *whatever* reason, this data may accidently be echoed outside of a JS context, or a parsing/rendering error may lead to the browser switching unexpectedly to an HTML context. By outputting \u00XX instead of <>&', the data remains valid (and syntacticly unmodified) for JS parsing, but becomes impotent against exploitability in an HTML context.
Yes, I get it now, and with this in mind the feature indeed seems very useful. Just document it well so people would have clear understanding what it can and can't do - now that we seem to have good understanding what it is.
-- Stanislav Malyshev, Zend Software Architect [EMAIL PROTECTED] http://www.zend.com/ (408)253-8829 MSN: [EMAIL PROTECTED]
-- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
