- htmlspecialchars: documentation ( source)
<?php
// This code is vulnerable when cmd == 1 and text contains a script
// ?cmd=1&text=%3Cscript%3Ewindow.location%20=%20%22http://www.google.com/%22%3C/script%3E
function get($c){
if ($c == 1) return $_GET['text'];
else return htmlspecialchars($_GET['text']);
}
$cmd = (int) $_GET["cmd"];
if ($cmd == 0) echo "0";
else echo ($cmd . " " . get($cmd));
?>