It's an XSS-prone templating language, as the default correct syntax for outputt... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		pornel on Aug 10, 2011 \| parent \| context \| favorite \| on: I Like PHP It's an XSS-prone templating language, as the default correct syntax for outputting variables is: `<?php echo htmlspecialchars($value, ENT_QUOTES);?>` which is far from encouraging safe best practices. PHP namespaces aren't any better: http://pornel.net/phpns

shiflett on Aug 10, 2011 [–]

Actually, you should also always indicate the character encoding, for reasons I explain here:

http://shiflett.org/blog/2005/dec/google-xss-example

pornel on Aug 11, 2011 | [–]

Yes, declaration is necessary, but not in the htmlspecialchars() call if you're using ASCII-superset encoding (and you really should declare UTF-8, never UTF-7).

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact