[ufo]

>I have never, ever seen nl2br referred to as making anything secure or safe.

There is also no mention in the manual that it is unsafe! One of the big problems with PHP is how easy it is to write dangerous code and how the standard manuals and tutorials often give little explanation to this.

[Firehed]

It should be better documented to not directly print user input in HTML context, and there should be a very obvious best-practices[1] guide for newbies explaining what to do (and what not to do). But nl2br could only be dangerous is you misunderstand the function's name, description, sample code, and everything else on the documentation.

[1] as if they would read it...