[Esapi-dev] XSS: Filter vs Encode?
noloader at gmail.com
Sat Dec 10 23:55:59 EST 2011
According to ASP.net and their tutorials (and at least one book I've
looked at), data is inserted into the database unfiltered but later
encoded to counter XSS.
I'm not sure I agree with inserting contaminated data into the
database. I think there's a potential for abuse: for example, suppose
a page is later added which omits encoding.
What is the preferred method of sanitizing input?
More information about the Esapi-dev