I was playing with PHP (As usual) and i was thinking about date()

It's a PHP function that displays date in different formats.

According to the documentation: 'Unrecognized characters in the format string will be printed as-is.'

So what if i try to insert HTML there as well?

I tried <?php echo date('<img src=x onerror=alert(\'XSS\')>'); ?>

But all characters are accepted in the format so the output was:
<59033 32Tue, 04 Mar 2014 15:59:32 +00002014-03-04T15:59:32+00:00=x 20143UTCTue, 04 Mar 2014 15:59:32 +0000Tue, 04 Mar 2014 15:59:32 +00002014Tue, 04 Mar 2014 15:59:32 +0000=pmTuesdayUTCTue, 04 Mar 2014 15:59:32 +000031(&#8216;Xthth&#8217;)>

Obviously that's not gonna give us the XSS payload, the page also says:
You can prevent a recognized character in the format string from being expanded by escaping it with a preceding backslash. If the character with a backslash is already a special sequence, you may need to also escape the backslash.

So i tried to escape the characters i supplied with a backslash.
<?php
echo date('<\i\m\g \s\r\c=x \o\n\e\r\r\o\r=\a\l\e\r\t(\'X\S\S\')\>');
?>

And viola! i saw the magic message box!

So filter the output of date like you would filter and user submitted input.

And if you don't think someone would do echo date($_GET['date']); THINK AGAIN!

http://phpkurs.se/php/ajax-med-jquery-och-php.html
http://forums.phpfreaks.com/topic/199191-strtotime-1-day-with-a-variable/
http://www.neosoftware.com/community/viewtopic.php?p=11206894&sid=b13ae2cbf369c22a67e659507275b2a3#p11206894
http://www.sitepoint.com/forums/showthread.php?280665-pulling-year-from-url-parameter-in-echo-statement&s=c5e4995b2c0adedf41dc0876ae337750&p=2031078&viewfull=1#post2031078
http://www.computercraft.info/forums2/index.php?/topic/4806-luacode-wantedreal-time/page__view__findpost__p__37833

date() is evil, don't trust it.