To that end, the attached patch allows the caller to be paranoid about their data and stipulate that <>&' should be encoded to hex references instead. This doesn't stop a web developer from dropping that content into an innerHTML of course, but it's one more rope holding the ship together.
Can you explain when it's going to help? I.e. if the concern is that somebody would stick it in the DOM as-is and have something like XSS with these data, then encoding it as \u is not enough, as far as I understand. If it's not the concern, then I'm not sure what are the use case - when such encoding is necessary?
-- Stanislav Malyshev, Zend Software Architect [EMAIL PROTECTED] http://www.zend.com/ (408)253-8829 MSN: [EMAIL PROTECTED]
-- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
