- From: Julian Reschke <julian.reschke@gmx.de>
- Date: Thu, 26 Aug 2010 22:30:00 +0200
On 26.08.2010 22:10, Aryeh Gregor wrote: > On Thu, Aug 26, 2010 at 5:58 AM, Julian Reschke<julian.reschke at gmx.de> wrote: >> Not convinced. There's already one way to escape these things, and this is >> supported in all UAs. > > Adam gave two examples of cases where htmlspecialchars() is > insufficient, even if authors do use it. This proposal is completely > general and will work anywhere, even in<script>. Is automated > general escaping even possible right now in<script> for text/html? OK, sorry for my multiple posts. I now get the point about the additional problems in script, but I fail to see how the proposal addresses this, unless expanding these entities is suppose to happen *after* parsing the script. Best regards, Julian
Received on Thursday, 26 August 2010 13:30:00 UTC