PHP - security etc

Andy Armstrong andy at
Wed Mar 7 21:43:28 GMT 2007

On 7 Mar 2007, at 21:14, Tim Sweetman wrote:
> The natural tendency will be to use the default thing, whether from  
> inexperience, carelessness, or trying to do fifteen other things at  
> once. If the default thing puts escaping on, then your markup  
> doesn't work. This is immediately (or almost immediately) evident,  
> and gets fixed.
> If the default thing puts escaping off, nothing happens for ages,  
> until your work is live, and then it gets pwn3d.
> Escaping on by default is the right behaviour for templating  
> systems for web apps.

Maybe so - but as soon as they discover that echo "<h1>$title</h1>"  
doesn't do what they expected they'll find out how to turn off  
escaping and won't bother to escape the title.

Additionally they'll probably read that "HTML escaping is turned on  
by default to help avoid XSS vulnerabilities" and assume that they're  
somehow indemnified from having to think about it as a result.

Andy Armstrong,

More information about the mailing list