Talk:Security checklist for developers/Archive 1

On the article page, say clearly that Html::rawElement does not escape the third extra argument, and that we have to use either
 * Html::element - if this is possible - or
 * $thirdArgument = htmlspecialchars( $thirdArgument, ENT_QUOTES )
 * Always use the ENT_QUOTES flag which converts both double and single quotes. PHP has unfortunately "escape only single quotes" as default.