[nycphp-talk] <textarea><?=$variable2?></textarea>
Chris Snyder
chsnyder at gmail.com
Mon Nov 7 11:44:08 EST 2011
On Mon, Nov 7, 2011 at 12:55 AM, justin <justin at justinhileman.info> wrote:
> And you'll want to escape the value of $variable2 ... It gets really
> awkward if $variable2 includes </textarea> :)
>
> echo "<textarea name=example2 rows=10
> cols=50><?=htmlentities($variable2)?></textarea>";
Not just awkward: dangerous. This is the prime vector for cross-site scripting.
Please always run any values you are including in an HTML page through
htmlentities() or htmlspecialchars().
More information about the talk
mailing list