Suppose I have something like this:
Can I use
htmlspecialchars on the echo statements, it messes it up if it's interpret as html, on the other hand does not having them leave the risk that someone may try doing an xss attack if the browser does interpret it as html.
What should I do? Should I not worry and not
No, you should not use
htmlspecialchars. Neither of those would make sense, since
htmlspecialchars is intended to avoid HTML injection. However, if you use JSON, your client code needs to take care how it uses the returned value.
For instance, injecting it into
innerHTML would not be safe.