Talk:Security checklist for developers/Archive 1

This page is an archive. Do not edit the contents of this page. Please direct any additional comments to the current talk page.

On the article page, say clearly that Html::rawElement does not escape the third extra argument, and that we have to use either

• Html::element - if this is possible - or
• $thirdArgument = htmlspecialchars( $thirdArgument, ENT_QUOTES )

Always use the ENT_QUOTES flag which converts both double and single quotes. PHP has unfortunately "escape only single quotes" as default.^[1]