Proper input sanitization can prevent insertion of malicious data into a subsystem such as a database. However, different subsystems require different types of sanitization. Fortunately, it is usually obvious which subsystems will eventually receive input which inputs and consequently what type of sanitization is required.
Several subsystems exist for the purpose of outputting data. An HTML renderer , as part of a web browser, is one common subsystem for displaying output. Data sent to an output subsystem may appear to originate from a trusted source; consequently. However, it is tempting dangerous to assume that output sanitization is unnecessary . However, data sent to an output subsystem because such data may indirectly originate from an untrusted source and may include malicious content. Failure to properly sanitize data for passed to an output subsystems subsystem can enable several types of attacks. For example, HTML renderers can be are prone to HTML injection and cross-site scripting (XSS) [OWASP 2011] attacks. Note, however, that the term cross-site scripting attack is generally applied to such attacks even when they involve only one site. Output sanitization to prevent such attacks is as vital as input sanitization.
...