Validating and sanitizing
To prevent the preceding, we've already chosen to inspect the data on the server side and make sure it conforms to our expectation. We still have a few more choices to make, though.
White and blacklisting
We need to create some rules to choose between acceptable inputs and unacceptable inputs, and there are two main ways of doing this. One way is to blacklist inputs that look malicious. Using this method, we would create a list of characters that might be used maliciously, such as "
<" and "
>", and we will reject inputs that contain these characters. The alternative is to use a whitelist approach. This is the opposite of blacklisting, in that, instead of choosing which characters we won't allow, we can choose a list of characters ...