eelixduppy - 9:38 pm on Mar 4, 2010 (gmt 0)
Failure to Preserve Web Page Structure
This is one directly related to cross-site scripting (XSS) attacks mostly. Just as it is important to verify your input data before you use it, it is equally as important to make sure that your output does not contain anything that could be potentially harmful.
When printing anything to the browser that may contain data from an outside source (as defined in my first post about validating input) you must make sure it is going to be printed as expected, and not taken as actual code as part of the webpage. This type of injection is probably the most prevalent on websites today, because most people do not sanitize their output.
But to properly sanitize data before you put it to the browser, you should at least do the following:
echo htmlentities($message, ENT_QUOTES, ’UTF-8’);
Where the htmlentities function even allows you to specify the character set you are working with to make sure that the characters that should be converted to their entity form actually do so.
More here: [php.net...]