|
|
|
|
|
|
by outworlder
2526 days ago
|
|
|
Not the input, the output. There are some good comments on this thread about the distinction. Case in point: the owner altered the vehicle's name using the vehicle's own UI (which is probably not browser based). That input gets stored in the database. Then another system, web-based, wants to display it. If you don't encode the output, you'll be exposed. Never trust that the input is properly encoded. HTML encode it before display, always. |
|
|
I'm not going to address it because it wasn't made in good faith and adds no value to the actual (rather than imagined) discussion.