detect-replaceall-sanitization
$FUNC()
in an attempt to HTML escape the string $STR
. Manually sanitizing input through a manually built list can be circumvented in many situations, and it’s better to use a well known sanitization library such as sanitize-html
or DOMPurify
.