[Clipart] Fwd: [Bug 689839] Re: internet explorer save button not working

[Nathan Eady]

Piers Haken <piersh at hotmail.com> writes:

> In general you should NEVER put text into an HTML document without
> encoding it first. You should NEVER treat text from the user as
> HTML. 

Well, unless the text is trusted or carefully sanitized first, but yeah.

In Perl there's a standard module for this (HTML::Entities), but I have
no idea how it's usually done in PHP.

(Of course, if you want to be draconian you can just REMOVE any
characters that aren't on an approved list of characters allowed in that
field, which for full names on an English-language site could consist of
A-Z, a-z, space, maybe underscore or hyphen, and possibly apostrophe.
But it's not really necessary to be that harsh.  Just encoding special
characters as entities is good enough to prevent code injection.)

-- 
Nathan Eady
Galion Public Library