Topic on Project:Support desk

using HTMLForm class vs adding HTML directly

3
146.175.202.30 (talkcontribs)

Hello,

When building custom forms in wikimedia specialpages, you have the option to directly inject your own HTML into the page, or use the mediawiki HTML form builder class. My question is, what are the advantages of using the built in form builder vs just injecting the HTML using getOutput()->addHTML() ? Thanks.

TheDJ (talkcontribs)

The HTMLbuilder applies the proper escaping to everything. Using raw html is a bit more adventurous because you need to make sure yourself that you are not introducing a security leak. Especially in forms, with user input, taking care of proper escaping is something not to take lightly.

Reply to "using HTMLForm class vs adding HTML directly"