Input validation to avoid XSS
I recently had a code reviewed for security issues. The report read “In application code, untrusted user data is displayed in the user’s browser without input validation and with deprecated output encoding”
How can input validation look? Is it an option to remove invalid or unwanted HTML with a library like JSOUP from a string before it is entered into a database?
What methods do you use? Why is input validation important, when output validation takes place.