Join GitHub today
GitHub is home to over 20 million developers working together to host and review code, manage projects, and build software together.
Purpose and impact of xss() is unclear #78
The current documentation doesn't really address when xss() is appropriate. Having looked at the source code, it appears to be appropriate only when you intend to display the user's input to others without entity escaping. That makes sense if you're allowing users to edit things with a rich text editor, or encouraging the use of HTML tags, but it doesn't make sense if you're going to entity escape at output time.
For instance it would never make sense to use the xss() filter on a blog post title - those should just be entity escaped; if a user types a < or > there it is presumably meant to appear as such.
"Remove common XSS attack vectors from user-supplied HTML" would be a better description. It's worth mentioning that entity escaping is a better solution when it is not your goal to allow any HTML in the first place.
Thanks for an excellent validation library!