So you're rewriting content as it arrives from form fields by passing it through two escaping functions? You will end up encoding some things like & twice won't you? This will end up mangling perfectly valid form fields and it'd be hard to get back to the original, so I wouldn't recommend it.
Usually it's considered better to sanitize on output (to html) rather than at the time of input.
So you're rewriting content as it arrives from form fields by passing it through two escaping functions? You will end up encoding some things like & twice won't you? This will end up mangling perfectly valid form fields and it'd be hard to get back to the original, so I wouldn't recommend it.
Usually it's considered better to sanitize on output (to html) rather than at the time of input.
http://stackoverflow.com/questions/11253532/html-xss-escape-on-input-vs-output