From: Aryeh Gregor Date: Thu, 20 Aug 2009 21:30:47 +0000 (+0000) Subject: Remove somewhat braindead comments X-Git-Tag: 1.31.0-rc.0~40173 X-Git-Url: http://git.cyclocoop.org/%7B%24www_url%7Dadmin/compta/categories/modifier.php?a=commitdiff_plain;h=643dad9da36bc74258a4c11e6eff71018045ea23;p=lhc%2Fweb%2Fwiklou.git Remove somewhat braindead comments On second thought, if you're outputting user-supplied JS without careful validation, it doesn't really matter if it's HTML-escaped or not. :D CSS has expr() and such too. --- diff --git a/includes/Html.php b/includes/Html.php index 57f9ba012c..ae10ac6141 100644 --- a/includes/Html.php +++ b/includes/Html.php @@ -194,10 +194,6 @@ class Html { * escaping as well, like if $contents contains literal '' or (for * XML) literal "]]>". * - * Note that $contents will not be escaped, since JS may legitimately - * contain unescaped characters like "<". Make sure you don't output - * untrusted user input here! - * * @param $contents string JavaScript * @return string Raw HTML */ @@ -234,10 +230,6 @@ class Html { * (if any). TODO: do some useful escaping as well, like if $contents * contains literal '' (admittedly unlikely). * - * Note that $contents will not be escaped, since CSS may legitimately - * contain unescaped characters like "<". Make sure you don't output - * untrusted user input here! - * * @param $contents string CSS * @param $media mixed A media type string, like 'screen', or null for all * media