Jared Williams schrieb:
<ul> <? foreach ($items as $item): ?> <li><?=htmlspecialchars($item)?></li> <? endforeach ?> </ul>
Well, it's the same as the "but i can't validate my php source with xmllint" folks: You're doing it at the wrong point. Escaping should happen at the point where you assign the var as a temlate var (in my small template class: $tpl->assign('items', $some_data) will escape all "leaves" in the data $some_data). This way you don't have to type it everytime, you don't have to read it everytime and - best of all - you can't forget to do it, so introducing a XSS vulnerability is much less likely.
Regards, Stefan -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php