On 19.06.2016 at 19:28, Scott Arciszewski wrote: > Further reading: > https://paragonie.com/blog/2015/06/preventing-xss-vulnerabilities-in-php-everything-you-need-know
Thanks! Minor issue: | If you failed to specify ENT_QUOTES and attacker simply needs to pass | " onload="malicious javascript code as a value to that form field and | presto, instant client-side code execution. That's not correct, unless ENT_NOQUOTES would have been specified. The default of htmlspecialchars() is to escape double-quotes, but to leave single-quotes alone. -- Christoph M. Becker -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
