Output validation¶
Context-Specific Encoding
HTML: Escape
<
as<
URLs: Encode spaces as
%20
SQL: Use parameterised queries
Example (Python - Jinja2 Auto-Escape):
<!-- Safe by default in Jinja2 -->
<p>{{ user_content }}</p>
Context-Specific Encoding
HTML: Escape <
as <
URLs: Encode spaces as %20
SQL: Use parameterised queries
Example (Python - Jinja2 Auto-Escape):
<!-- Safe by default in Jinja2 -->
<p>{{ user_content }}</p>