Welcome to the Treehouse Community
Looking to learn something new?
Mayur PandeCourses Plus Student 11,711 Points
Surely then we would need to escape the outputs on all fields?
As this is the case with malicious code. Surely we would need to escape the output on all the other form fields i.e. name, email, title, year etc. Am I correct in thinking this?
Aurelien Roux25,567 Points
I'm not 100% sure but it seems to be a good practice to do both (filtering inputs and escaping outputs).
I found this article that gets in the details and show examples https://www.inanimatt.com/php-output-escaping.html