On 19/06/16 10:01, Marco Pivetta wrote: > This basically means that you lack basic understanding of how escaping and > user input are to be handled. > Most apps out there about getting a bunch of text from the user, then > rendering it somewhere else in the app. > Cleaning user input just leads to frustration and a big mess in most > scenarios, which is why we're all talking about escaping output instead. > This is not "cleaning" either, it's escaping, which is a non-destructive > and reversible operation (which is why it works so well).
Well we have to disagree ... simply expecting htmlspecialchars() to fix all your problems without proper handling of the input text is 'the big mess' and there is NO need to simply slap htmlspecialchars() onto properly built data so the idea that <?= should automatically add it is totally pointless! -- Lester Caine - G8HFL ----------------------------- Contact - http://lsces.co.uk/wiki/?page=contact L.S.Caine Electronic Services - http://lsces.co.uk EnquirySolve - http://enquirysolve.com/ Model Engineers Digital Workshop - http://medw.co.uk Rainbow Digital Media - http://rainbowdigitalmedia.co.uk -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
