November 2nd, 2013, 12:31 AM
November 2nd, 2013, 01:10 AM
No. This is a common misunderstanding: XSS is an output problem, not an input problem. Your users may enter any character they want. It's your job to make sure that the output is correct by escaping the values.
Mangling the user input just because it has a special meaning in some contexts is a bad idea. If this forum worked like that, we couldn't write a single sentence. We wouldn't be allowed to use the words "from" or "and", because those are SQL keywords. We couldn't write down quotes, because those are used in HTML etc.
Don't mess with the user input. Store the original, unaltered data and do the escaping when you output the data.
Comments on this post