It would only work if you're serving the page as XML (application/xhtml+xml
); there are no CDATA sections in plain HTML. Most browsers in HTML mode would just ignore the example CDATA section.
And throwing <![CDATA[
...]]>
around a string is not sufficient to wrap it, anyway. If your trace information had the sequence ]]>
in it, that'd end the CDATA section and you'd be back at the same problem. So you have to do at least one escape to cope with that case, and if you're going to be doing an escaping process anyway you might as well do a proper HTML-escape.
This is why CDATA sections are largely pointless. A lot of people seem to think it somehow absolves them of thinking about escaping issues, but it really doesn't.
Anyway, HTML-escaping isn't inefficient. It's a couple of string replaces. Any web app(*) will be doing a hundred HTML-escapes every page. Adding one more — especially for a debugging case where efficiency doesn't matter at all! — is no great burden.
(*: well, except for poorly-written apps from PHP tutorials, whose authors have never even heard of htmlspecialchars
, obviously.)