- From: Julian Reschke <julian.reschke@gmx.de>
- Date: Thu, 26 Aug 2010 22:20:30 +0200
On 26.08.2010 22:10, Aryeh Gregor wrote: > On Thu, Aug 26, 2010 at 5:58 AM, Julian Reschke<julian.reschke at gmx.de> wrote: >> Not convinced. There's already one way to escape these things, and this is >> supported in all UAs. > > Adam gave two examples of cases where htmlspecialchars() is > insufficient, even if authors do use it. This proposal is completely > general and will work anywhere, even in<script>. Is automated > general escaping even possible right now in<script> for text/html? I have to admit that I'm not sure what's special about <script> here. Are you saying that it's insufficient to escape all characters that have a special meaning there? Server-wise, how is introducing a new escape mechanism any better than fixing the support code for the existing mechanism? Best regards, Julian
Received on Thursday, 26 August 2010 13:20:30 UTC