I didnt see your answer until now.
well, right. but some people might think an url couldn't actually be
harmful.
just a few months ago, even the core templates still didn't use h() to
print out content, for example.
and no one cared for decades^^ (except for a few maybe including me)
and I see ton
Its not a danger if you don't use it. Additionally I think FormHelper
escapes attributes so unless you stupidly echo it out without
escaping things should be fine. So like most security issues, they
are easy to solve by using your brain and escaping user supplied data.
-Mark
On Nov 5, 8:41 am,
I searched for answers to this topic at stackoverflow
http://stackoverflow.com/questions/7985366/additional-this-here-security-still-necessary/7985529
/**
* Don't you EVER remove this line else you will make the whole
* application a swiss cheese for XSS!
* We often call echo $this->here in