Without proper care, developers can leave their CakePHP website open to cross-site scripting attacks. Controllers using scaffold functions do not take care to sanitize data, and leaves the website vulnerable. When using the bake tool in the console, it generates controllers as simple as the scaffold version. Some suggest storing the unsanitized data and escape the dangerous characters on output. In a perfect world I would agree with this approach, but it is easy to forget to sanitize output every time, or for an amateur developer to be ignorant of the dangers.