[Esapi-dev] XSS: Filter vs Encode?
Jeffrey Walton
noloader at gmail.com
Sat Dec 10 23:55:59 EST 2011
Hi Guys,
According to ASP.net and their tutorials (and at least one book I've
looked at), data is inserted into the database unfiltered but later
encoded to counter XSS.
I'm not sure I agree with inserting contaminated data into the
database. I think there's a potential for abuse: for example, suppose
a page is later added which omits encoding.
What is the preferred method of sanitizing input?
Jeff
More information about the Esapi-dev
mailing list