Discussion: Why doesn't the htmlspecialchars function convert single quotes to entities by default?
2 messages from 2 displayed.
//= Settings::TRACKING_CODE_B ?> //= Settings::TRACKING_CODE ?>
I believe it's not default because of backward compatibility, maybe they just didn't realize it's necessary and they can't change it now. The best solution is to create some custom function for it which would call htmlspecialchars() with appropriate parameters.
I'd like to mention some cases when it's really wise to escape single quotes since they can lead to some kinds of XSS. Consider this example:
<button onclick="alert('<?= htmlspecialchars($value) ?>');" />
If there was an apostrophe in the $value, it could lead to the JavaScript injection if used htmlspecialchars() in the default configuration.
2 messages from 2 displayed.