274 incorporates xml_escape in a bunch of places, which at least stops special characters from breaking HTML parsing. But we can make it better by using cgi_escape, uri_escape, strip_html, or a custom regex to strip whatever characters are appropriate for the context.
Examples:
alt or aria-label attributes should ideally remove all special characters, so that they're not announced by screen readers. xml_escape will leave behind HTML entities which are annoying to hear on a screen reader.
href and src attributes and CSS url() should probably use uri_escape.
274 incorporates
xml_escapein a bunch of places, which at least stops special characters from breaking HTML parsing. But we can make it better by usingcgi_escape,uri_escape,strip_html, or a custom regex to strip whatever characters are appropriate for the context.Examples:
altoraria-labelattributes should ideally remove all special characters, so that they're not announced by screen readers.xml_escapewill leave behind HTML entities which are annoying to hear on a screen reader.hrefandsrcattributes and CSSurl()should probably useuri_escape.