Thread:Project:Support desk/Does this extension need htmlspecialchars() ?/reply

I think (and looking at Extension:Cite uses it in this way) that any time you are taking user input (i.e. wikitext) and displaying it in the browser, you need to use  or some other form of input sanitation.

I'll try to get someone to look at your extensions, but you should really try to get them into Gerrit so that MW experts can easily review them.