On Wed, Nov 12, 2008 at 3:50 PM, Ulisses Montenegro <[EMAIL PROTECTED]> wrote: > Also, if you ever need to display those values in any other potentially > interpreted format (such as a Web page -- browsers interpret and render > HTML), remember to escape them. Even if you are protecting yourself > against SQL injection, you might end up vulnerable to XSS/CSRF attacks > by displaying unescaped data in a web document. > > Ulisses
see also http://search.cpan.org/~rsavage/HTML-Entities-Interpolate-1.00/lib/HTML/Entities/Interpolate.pm