I have an admin section within my site where items can be stored. Once they are stored, they are displayed on the front end. Part of my display involves code like the following:
echo "<p>".$rose['description']."</p>";
Does this need to have htmlspecialchars included into it to protect from xss at a low level?
Yes of course, you should always santize user input before outputting it back to prevent XSS attacks. remember that you should sanitize user input before outputting it and not before saving it to the db, because you don't always need to output html