Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
I have the following array:
'tagline_p' => "I'm a <a href='#showcase'>multilingual web</a> developer, designer and translator. I'm here to <a href='#contact'>help you</a> reach a worldwide audience.",
Should I escape the HTML tags inside the array to avoid hackings to my site? (How to escape them?)
or is OK to have HTML tags inside an array?
The only time it becomes a problem is when it contains user input. You know what you put in your array, and trust it. But you don’t know what users are passing in, and don’t trust that.
So in this particular case, escaping is not needed. But as soon as user input is involved, you should escape the input.
It’s not the HTML itself that is dangerous, but the type of HTML users can pass in, like script tags which allow them to execute Javascript.
Addition
Note that it’s best practice to only escape on output not on input. The output is where the data can do damage, so you want to consistently escape that. That way, you don’t have to make sure that all input is escaped.
That way, you don’t have problems when outputting data to different formats where maybe different rules apply. You don’t have to use things like
stripslashes()orhtmlspecialchars_decode()if you don’t need things to be output as html.