|
|
|
|
|
|
by charliesome
4916 days ago
|
|
|
> I'm sure everybody escapes their input. That's the fundamental mistake. Don't escape input, escape output. If you're interpolating values into queries, that's an output that you need to escape for. If you're sending data to a browser, that's another output that you need to escape for (with different escaping rules). |
|
|