[nycphp-talk] <textarea><?=$variable2?></textarea>
Chris Snyder
chsnyder at gmail.com
Mon Nov 7 11:44:08 EST 2011
On Mon, Nov 7, 2011 at 12:55 AM, justin <justin at justinhileman.info> wrote:
> And you'll want to escape the value of $variable2 ... It gets really
> awkward if $variable2 includes </textarea> :)
>
> echo "<textarea name=example2 rows=10
> cols=50><?=htmlentities($variable2)?></textarea>";
Not just awkward: dangerous. This is the prime vector for cross-site scripting.
Please always run any values you are including in an HTML page through
htmlentities() or htmlspecialchars().
More information about the talk
mailing list
Automatic Email Organization without missing anything!