> Which begs the question htmlspecialcharacters or htmlentities. I err on the > side of caution, using a single escaping function, to be consistent, that > calls htmlentities with the appropriate character set and ENT_QUOTES.
I have always just used htmlspecialchars. htmlentities feels like a bad idea if your content is primarily non-roman characters. The html would be unreadable, and I suspect there would be a noticeable performance hit. The goal is to prevent content from being treated as code, which is exactly what htmlspecialchars does. I don't bother to specify the character set, because it only really matters for htmlspecialchars if you are using something bizarre like BIG5 or UTF-16/32. UTF-8 and ISO-8859-* are the same for all relevant characters. If you specify UTF-8, php will check to see if the string is valid UTF-8 which is unnecessary. -john c. _______________________________________________ New York PHP Community Talk Mailing List http://lists.nyphp.org/mailman/listinfo/talk NYPHPCon 2006 Presentations Online http://www.nyphpcon.com Show Your Participation in New York PHP http://www.nyphp.org/show_participation.php
