http://qs321.pair.com?node_id=596686


in reply to Re: clean html tags
in thread clean html tags

"'" => "'",

The apos entity is an XML built it, and isn't defined for HTML. While some browsers support it in text/html documents, this is error correction and you should not use it.

It's best to escape the data as it's coming in; otherwise it's very difficult to distinguish between, for example, a less-than sign that should be converted to < and one that is part of the markup.

My preference is to convert from text to HTML at the last minute to avoid issues where I need to manipulate the data in Perl. (Template::Stash::EscapeHTML is quite cool).

What matters though is doing it in one place, so its easy to spot when you forget to protect a bit of user input from XSS et al.