for example, data submitted by the user
a < b
method 1, encode when it is stored in the database, that is, it is
a < b
method 2, code when writing Html, that is, storing it in the database as is
a < b
but before writing to the page, it is encoded as
a < b
I personally prefer method 1, because XSS is caused by a misunderstanding in the browser, and the data returned in the background is not necessarily given to the browser. Other clients (such as mobile phone APP) do not have to worry about it. This is one of them.
second, if this column is to be compared in SELECT, method 2 requires that the compared values must also be encoded first, otherwise they cannot be equal, for example:
WHERE c ="a < b"
it certainly won"t work to write this way, because the database stores"a < b".
so, from a purely programming point of view, method 2 always assumes that the client is a browser, which is not good. But the problem with method 1 is that if you "remember" the code every time you write to html, it"s too easy to forget! Once forgotten, there is a security risk, right?
so what do you suggest?