The issue: Cross site scripting attacks caused by inproper escaping.
- Every user input may contain characters which will be interpreted by the displaying programm.
<?php
$text = '<b>Hallo</b> Welt.';
echo $text;
echo htmlentities( $text );
?>
Output
Hallo Welt.<b>Hallo</b> Welt.
The solution: Use escape functions on output
- Remember, that database content may be user input to.
Hint: Consider the context of output, or use a template system which automatically takes care of output escaping
<?php
$config = ezcTemplateConfiguration::getInstance();
$config->context = new ezcTemplateXhtmlContext();
$t = new ezcTemplate();
$t->process( "hello_world.ezt" );
?>
In eZ Template variables are escaped according to the context of the output
{var $myVar = '<b>Hello world!</b>'}
{$myVar}
To not escape the content of the var, you need to call raw explicitely
{var $myVar = '<b>Hello world!</b>'}
{raw $myVar}