I am working on Wordcraft, trying to get
the last annoying HTML validation errors worked out. Thinks
like ampersands in URLs. In doing so, I am asking myself
where the escaping should take place. In the case of Wordcraft,
there are several parts to it.
The code that pulls data from the database. Obviously
not the right place.
The code that formats data like dates and such. It
also organizes data from several data sources into one nice
tidy array. Hmm, maybe
The parts of the code that set up the output data for the
The templates themselves.
Now, I am sure 1 is not the place. And I really would not
want 4 to be the place. That would make for some ugly
templating. Plus, the templates, IMO, should assume the data
is ready to be output. So, that leaves the code that does the
formatting and the code that does the data setup.
Of those two, I guess the place to do this job is in the data
setup. Wordcraft has a $WCDATA array that is available in the
scope of the templates. I suppose anything that goes into
that array should be escaped as appropriate.
I largely wrote this blog post as a
teddy bear exercise. But, I am curious. Where and
when do you escape your data for use in HTML documents?