| esc() dropdowns/checkboxes/numbers in views |
In this post (https://forum.codeigniter.com/thread-770...#pid377848) @jreklund makes the statement that everything that a user could manipulate should be escaped in the view. I have a couple of questions though:
1- An end-user wouldn't be able to change the contents of a dropdown or multi-select other than to select pre-existing options, so should those outputs be escaped? If not, what about users who use tools like greasemonkey to modify the html generated form? Perhaps that's more of an argument for validating input than escaping output. 2- esc() takes a string or array as it's first argument. So, does this mean that checkbox attribute values and numbers do not need to be escaped? |
| Welcome Guest, Not a member yet? Register Sign In |
