would that create lazy coders though if they knew they could get a script that does their sanitizing and security for them?

i mean, if xoops & icms cores and modules were all coded securely to begin with, then xoops protector wouldn't be necessary in the 1st place.

it's good that Gijoe wrote the module because it has certainly helped over the years, but it should not be a replacement for secure coding practices.

I see many comments regarding Protector module and when security exploits get discovered, the usual consensus is that it's ok because you have protector installed, that will prevent this exploit.

But that's giving false hope because people have to rely on the module instead of relying on the core to offer that protection. in other words people are relying on it too much instead of writing secure code in the 1st place.

The protector module should be a secondary defense, not a primary defense, the core and modules should be the primary source of defense.