On 10/25/06, Joachim Schipper <[EMAIL PROTECTED]> wrote: ...
Just a half-baked thought, but escaping any non-constant expression (i.e., actual variable, not fixed string) passed to the browser or a database would go a long way toward solving most problems.
That would only work if: a) it's unambiguous how the string will be used, so that the the correct quoting/encoding rules can be selected, and b) you never need nested encodings. ...
$hello = "<Hello World>"; echo "<Hello World> ", $hello; could produce <Hello World> <Hello World>
So what would this ouput? echo "<a href=\"/cgi/foo?", $hello, "\">", $hello, "</a>" ...and if the answer is <a href="/cgi/foo?%3CHello%32World%3E"><Hello World></a> then try this: echo "<a href=\"/cgi/foo?", $hello, "\">http://server/cgi/foo?", $hello, "</a>" and think about what the goal of that is... Philip Guenther