For example, if you use HTML entity encoding on user input before it is sent to a browser, it will prevent most XSS attacks.However, simply preventing attacks is not enough - you must perform Intrusion Detection in your applications.To ensure that the application is robust against all forms of input data, whether obtained from the user, infrastructure, external entities or database systems. This weakness leads to almost all of the major vulnerabilities in applications, such as Interpreter Injection, locale/Unicode attacks, file system attacks and buffer overflows. All sections should be reviewed The most common web application security weakness is the failure to properly validate input from the client or environment.Integrity checks must be included wherever data passes from a trusted to a less trusted boundary, such as from the application to the user's browser in a hidden field, or to a third party payment gateway, such as a transaction ID used internally upon return.
This confusion directly causes continuing financial loss to the organization.Data from the client should never be trusted for the client has every possibility to tamper with the data.In many cases, Encoding has the potential to defuse attacks that rely on lack of input validation.For example, the web / presentation tier should validate for web related issues, persistence layers should validate for persistence issues such as SQL / HQL injection, directory lookups should check for LDAP injection, and so on.
These definitions are used within this document: Ensure that data is not only validated, but business rule correct.
For example, interest rates fall within permitted boundaries.