Talk:Security checklist for developers/Archive 1

On the article page, say clearly that Html::rawElement does not escape the third extra argument, and that we have to use either

Always use the ENT_QUOTES flag which converts both double and single quotes. PHP has unfortunately "escape only single quotes" as default.[1]

References

Return to "Security checklist for developers/Archive 1" page.