Closed Erikmitk closed 4 years ago
Is using CDATA (<![CDATA[characters with markup]]>
) not a good alternative instead of escaping any HTML character?
Is using CDATA (
<![CDATA[characters with markup]]>
) not a good alternative instead of escaping any HTML character?
No. That makes no sense since I'm populating an HTML element's attribute. CDATA has no meaning there and would be interpreted as a string.
This prevents (among other things) double quotes leaking in the HTML output and breaking the tags by correctly encoding HTML entities before writing the output.
I could not generate these cases in the backend but a quick test to verify is simply setting the meta tag
$value
in code directly before the output to something like$value='"TestMitUmlauten&Anführungszeichen"';
. Without thehtmlspecialchars
the source is broken due to the nesting of double quotes.