What's wrong with this PHP htmlspecialchars still allowing XSS?

What's wrong with this PHP htmlspecialchars still allowing XSS in output. The PHP code uses wrong encoding or omits ENT_QUOTES. In PHP templates this lets attackers inject script tags.

#whatswrongwiththisphpcode #phpbug #phpproductionbug #phpdebugging #phpbackend #phpcodereview #phpsecurity #phpperformance #phpreliability #phpapi #phpwebdevelopment #phpengineering #phpxss #phphtmlspe...

https://www.youtube.com/watch?v=iShj586SEzo