But how many people do this?:
Code: Select all
$safeVar = 'mainbox';
$output = '<div class="'. htmlentities($safeVar) . '">Foo</div>';What about the case when you are writing a library. Lets take the most simple example possible:
Code: Select all
function divWithClass($classText)
{
return '<div class="'. $classText . '">Foo</div>';
}Code: Select all
divWithClass('safeVar');
divWithClass(htmlentities($_GET['tainted']));I've gone from being certain that htmlentities is library user's responsibility to being certain that its library writer's responibility. And now I don't have a clue what I think.
Let me give one last more contexual example. I have an object OF_Help that has the following public properties:
- content (an array of strings converted to separate paragraphs)
- class
- javascript events (all of them)
- title
Thoughts?
