Is there a consensus on whether HTML encoding should happen upon upload or retrieval/display for defense against stored XSS?
The common thing to do in defense against XSS, stored or not, is to HTML-encode the payload. Encoding upon the upload/POST of the data is efficient for processing power and neutralizes it early to be stored in the database but the payload … Continue reading Is there a consensus on whether HTML encoding should happen upon upload or retrieval/display for defense against stored XSS?