Many applications employ input filtering and validation mechanisms that black-list characters. For example, an application may not want wish to accept forbid <script> tags to avoid vulnerabilities such as Cross Site Scripting (XSS). Although such black-listing mechanisms are insufficient by themselves, when implemented, validation must be performed after normalizing the input.
...