Interesting post on HTML escaping. While it's a good thing to keep in mind, I do find that it is somewhat over-hyped.

The feeling that I get from a quick glance at the article is "warning: if you escape only &, <, > and ", then a clever attacker can use a tricky sequence of characters to pwn your page." But really, after reading it all in detail, the message is a far less alarming "warning: if you escape only &, <, > and ", then a stupid programmer can insert the result into a bare (or single-quoted) attribute value, and then open up the program to a very obvious attack."

In other words, if you escape only those four characters and then only ever insert the result into bare HTML text or double-quoted attribute values, then you should be 100% safe. (I THINK.) For good measure, you can also escape ' to allow insertion of the result into single-quoted attribute values as well. I don't see a need to escape a ton of other characters just in case someone stupidly puts it in a bare attribute value.
Shared publiclyView activity