Output validation

Context-Specific Encoding

  • HTML: Escape < as &lt;

  • URLs: Encode spaces as %20

  • SQL: Use parameterised queries

Example (Python - Jinja2 Auto-Escape):

<!-- Safe by default in Jinja2 -->  
<p>{{ user_content }}</p>  

Last update: 2025-06-07 06:04