Hi > > Why are you mixing them into a single file? Why not have separate files > for separate types of code? This simplifies the story for escaping,
Sametimes you have to mix everything together because you need dynamically generate values of certain attributes like onXXX, style, ... > > We can provide tools for the developer -- it's up to the developer to > use them properly. Again, the 80% use case for view scripts is HTML, so heh, "it's up to the developer to use them properly"... little bit wrong premise. > autoescaping using htmlentities or htmlspecialchars is the appropriate There is only one correct solution: htmlspecialchars($s, ENT_QUOTES). -- Ondrej Ivanic (ondrej.iva...@gmail.com)
