On Sun, Oct 11, 2009 at 4:14 AM, Hans <[email protected]> wrote: > HTML and XHTML both share the same set of special characters: > > & & ampersand >> > greater-than sign > < < less-than sign > " " quotation mark > > Any string passed by a form containing any of these characters should be > encoded with htmlspecialchars ($str, ENT_NOQUOTES) > > Any string containing any of these characters from any source, which will be > displayed in a text box or field, should be encoded with that function too.
It doesn't seem to say you can't have & in the text of an html page. Just to and from form fields--no doubt for security reasons. But again, I don't see the specs on this page, just the list. One solution to getting & properly escaped, might be to just escape ' & ' (with the spaces). As that is the most common use. And we avoid all the special html entities like as well as javascript &&. There may be situations we will miss, but it is fast and easy enough for now. Perhaps our first order of business is to clarify what the specs actually require. If it is only form inputs we have to worry about, we can focus our efforts there. Cheers, Dan --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "BoltWire" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/boltwire?hl=en -~----------~----~----~----~------~----~------~--~---
