payload to innerHTML, you are hosed. Using the \u syntax, even if you mess up and that blob of data finds its way to an innerHTML, nothing nasty can happen. Basically this is a more robust context-protected way
I'm not sure this is correct - if you just write something like: <script> var = <?php json_encode($_GET['pleasehackme']) ?>; myDomElement.innerHTML = var.content; </script> you are still in trouble, \u or not. Am I wrong? -- Stanislav Malyshev, Zend Software Architect [EMAIL PROTECTED] http://www.zend.com/ (408)253-8829 MSN: [EMAIL PROTECTED] -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php