Pádraic Brady has posted Automatic Output Escaping In PHP And The Real Future Of Preventing Cross-Site Scripting (XSS)
In the game of mitigating against the risks of XSS, how you escape is not as important as knowing why you are escaping. That second point, understanding why you escape data on output, is unfortunately commonly misunderstood. Yet, without that basic understanding – your choice of how to escape is quite possibly incorrect and, worse, it allows insecure escaping practices to thrive as that misunderstanding becomes embedded in what we pass on to other PHP programmers. We’re self-perpetuating our own ignorance
In this new post Pádraic looks at what automatic escaping is and then continues with an exploration of the complexities. Well worth a read!