Saturday, September 27, 2008

Input Validation or Output Encoding to prevent XSS

Found an excellent blog on Input Validation vs. Output Encoding by Scott Matsumoto, Cigital.

The gist of the blog is that although it would appear cleaner to use input validation to cleanse the data when they enter the system there are issues. Blacklist validation only works on known bad data. Whitelist only works for some data types. Finally, data can come from many disparate sources. As a result, Scott recommends output encoding or a combination of input validation (where appropriate) and encoding as defense in depth.

No comments: