Output validation¶
Context-Specific Encoding
HTML: Escape
<as<URLs: Encode spaces as
%20SQL: Use parameterised queries
Example (Python - Jinja2 Auto-Escape):
<!-- Safe by default in Jinja2 -->
<p>{{ user_content }}</p>
Context-Specific Encoding
HTML: Escape < as <
URLs: Encode spaces as %20
SQL: Use parameterised queries
Example (Python - Jinja2 Auto-Escape):
<!-- Safe by default in Jinja2 -->
<p>{{ user_content }}</p>