I've noticed that most times where 'user' data
(anything the user can put in page titles,
descriptions, etc) is inserted into the page html it is
put in directly. This means you should be writing HTML
in these. While this makes sense for the page body
(obviously ;-)), I think page titles and things should
be text and therefore should be passed though
htmlentities(). This means you can write an & rather
than & I know most browsers deal with this but it
also applies to other 'odd' characters.
It also applies to items put into input tags in the
config pages - if you try to put something in a config
box that contains a quote (') char then it works but
the next time you try to edit it then only the text
before the quote is shown.
Log in to post a comment.
