- The code that pulls data from the database. Obviously not the right place.
- The code that formats data like dates and such. It also organizes data from several data sources into one nice tidy array. Hmm, maybe
- The parts of the code that set up the output data for the templates.
- The templates themselves.
Of those two, I guess the place to do this job is in the data setup. Wordcraft has a $WCDATA array that is available in the scope of the templates. I suppose anything that goes into that array should be escaped as appropriate.
I largely wrote this blog post as a teddy bear exercise. But, I am curious. Where and when do you escape your data for use in HTML documents?