in reply to
Re: clean html tags
in thread clean html tags
"'" => "'",
The apos entity is an XML built it, and isn't defined for HTML. While some browsers support it in text/html documents, this is error correction and you should not use it.
It's best to escape the data as it's coming in; otherwise it's very difficult to distinguish between, for example, a less-than sign that should be converted to < and one that is part of the markup.
My preference is to convert from text to HTML at the last minute to avoid issues where I need to manipulate the data in Perl. (Template::Stash::EscapeHTML is quite cool).
What matters though is doing it in one place, so its easy to spot when you forget to protect a bit of user input from XSS et al.