PHP - security etc
Andy Armstrong
andy at hexten.net
Wed Mar 7 16:26:28 GMT 2007
On 7 Mar 2007, at 16:15, Dominic Mitchell wrote:
> I disagree. Not only does PHP not make it easy to be secure, it makes
> it actively hard to be correct as far as I can see... For example,
> requiring you to call htmlspecialchars() on every string that ends
> up in
> the page is completely inexcusable in order to avoid XSS attacks.
I don't understand this. If the string contains HTML you don't want
to escape it. If it contains plain text that you want to HTML escape
then /of course/ you have to escape it.
--
Andy Armstrong, hexten.net
More information about the london.pm
mailing list