Do you only run htmlspecialchars() on output or is there other functionality you also do?

Question

When outputting user input, do you only use htmlspecialchars() or are there are functions/actions/methods you also run? I\'m looking for something that will als

Answer 1

You shouldn't be cleansing text on output, it should happen on input. I use a filter that filters all input to the application. It is configurable so that it can allow specific tags/data through when needed (say for a wysiwig editor).

You should do as little processing of text on output as possible so that you ensure speed. Processing it once creates a lot less strain then processing it 500,0000 times.