On Tue, 22 Jun 2021 at 11:31 am, Hans Henrik Bergan <divinit...@gmail.com> wrote:
> How is one supposed to use this? like > > if(!is_trusted($val)){ > $val = htmlentities($str, ENT_QUOTES | ENT_HTML401 | ENT_SUBSTITUTE | > ENT_DISALLOWED, 'UTF-8', true); > } > echo "<div>$val</div>"; No, if anything that’s the opposite, and almost Taint Checking. While this is covered in the RFC (https://wiki.php.net/rfc/is_literal) and will be best read in context, in summary: The developer does not use this function, instead you rely on libraries to do that work for you. In this case you would use a HTML Templating Library (which knows about all the complexities of HTML encoding), and you simply provide the trusted string ‘<div>?</div>‘ and the values separately. The Libraries will then use is_trusted(), with something like this: https://github.com/craigfrancis/php-is-literal-rfc/blob/main/justification/example.php?ts=4 Craig