Talk:Security checklist for developers/Archive 1
 | This page is an archive. Do not edit the contents of this page. Please direct any additional comments to the current talk page. |
On the article page, say clearly that Html::rawElement does not escape the third extra argument, and that we have to use either
- Html::element - if this is possible - or
- $thirdArgument = htmlspecialchars( $thirdArgument, ENT_QUOTES )
- Always use the ENT_QUOTES flag which converts both double and single quotes. PHP has unfortunately "escape only single quotes" as default.[1]