I am wondering if the symbol > always needs to be converted into >, if the input is coming from a user? I could understand that < (<) would need to, since the next characters could be interpreted as HTML, but what harm could > have?
Asked
Active
Viewed 55 times
1 Answers
0
It depends what you are going to do with the data. If you're going to render it to a page, it should be HTML-escaped (meaning converted to >). If you're doing pretty much anything else then it should not.
John Wu
- 50,556
- 8
- 44
- 80