- The code that pulls data from the database. Obviously not the right place.
- The code that formats data like dates and such. It also organizes data from several data sources into one nice tidy array. Hmm, maybe
- The parts of the code that set up the output data for the templates.
- The templates themselves.
Of those two, I guess the place to do this job is in the data setup. Wordcraft has a $WCDATA array that is available in the scope of the templates. I suppose anything that goes into that array should be escaped as appropriate.
I largely wrote this blog post as a teddy bear exercise. But, I am curious. Where and when do you escape your data for use in HTML documents?
I would fix issues with strings before they go into the database in the first place. One needs to be sure the fix is the correct one though. Changing the function later will not help historical in any way.