Data from the client should never be trusted for the client has every possibility to tamper with the data.In many cases, Encoding has the potential to defuse attacks that rely on lack of input validation.int payee Lst Id = Parameter('payeelstid'); account From = Acct Number By Index(payee Lst Id); Not only is this easier to render in HTML, it makes validation and business rule validation trivial. To provide defense in depth and to prevent attack payloads from trust boundaries, such as backend hosts, which are probably incapable of handling arbitrary input data, business rule validation is to be performed (preferably in workflow or command patterns), even if it is known that the back end code performs business rule validation.This is not to say that the entire set of business rules need be applied - it means that the fundamentals are performed to prevent unnecessary round trips to the backend and to prevent the backend from receiving most tampered data.
One solution is to replace all non alphanumeric characters with an encoded version, so "I like your web page", might emerge from your sanitation routines as "I like your web page! (This example uses URL encoding.) You can also go one step further.Otherwise, you are allowing attackers to repeatedly attack your application until they find a vulnerability that you haven't protected against.