| ▲ | zdragnar 2 days ago | |
Sanitizing is just a form of encoding that prevents data from becoming executable unintentionally. | ||
| ▲ | chrismorgan 2 days ago | parent [-] | |
I don’t like how you’re categorising things. Sanitising is absolutely nothing to do with encoding. You can sanitise without encoding, you can encode without sanitising, or you can do both in sequence; and all of these combinations are reasonable and common, in different situations. And sanitising may operate on serialised HTML (risky), or on an HTML tree (both easier and safer). Saying sanitising is a form of encoding is even less accurate than saying that a paint-mixing stick is a type of paint brush. You can mix paint without painting it, and you can paint without mixing it first. | ||