Determining when or when not to escape output

views:

answers:

+3 Q:

Determining when or when not to escape output

I have a page, where I have approximately 90 items I need to output. Most of them are object properties (I am using ORM so these objects map to my database tables). But the question is, do I have to encode each of those 90 outputs by applying functions to each (in my case, the htmlspecialchars)? Wouldn't that add a bit of an overhead (calling a single function 90 times)?

EDIT: The term is "output encoding"...hehe

+4 A:

Someone will, at some point, enter data that can mess up your HTML page. They may do this accidentally (the company name has an ">" in it), or intentionally (see XSS).

So, yes, always properly encode output.

Eric J. 2010-05-17 05:26:03

+1 - though I'd add in answer to the other bit of his question, don't believe `htmlspecialchars` is slowing you down until you've proved it. Calling it 90 times is very likely to be virtually free, unless the 90 blocks of data you're calling it on are all massive.

Dominic Rodger 2010-05-17 05:30:17

+1 for calling it encoding and not escaping, and also for being correct.

Rook 2010-05-17 06:03:46

ansaurus

tags:

views:

answers:

Determining when or when not to escape output

related questions