...
As with input validation, normalize data before filtering for malicious characters. To avoid vulnerabilities caused by data that may bypass bypasses validation, we recommend that all output characters other than those known to be safe should be are encoded.
Noncompliant Code Example
...