To prevent the preceding, we've already chosen to inspect the data on the server side and make sure it conforms to our expectation. We still have a few more choices to make, though.
We need to create some rules to choose between acceptable inputs and unacceptable inputs, and there are two main ways of doing this. One way is to blacklist inputs that look malicious. Using this method, we would create a list of characters that might be used maliciously, such as "<
" and ">
", and we will reject inputs that contain these characters. The alternative is to use a whitelist approach. This is the opposite of blacklisting, in that, instead of choosing which characters we won't allow, we can choose a list of characters that we will allow.
It may seem like a nit-picky distinction, but it is important nonetheless. If we go with a blacklist approach, we are more likely to be outsmarted by malicious users who manage to inject code using only characters...