This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit

Category:WASS Validate Outputs

Jump to: navigation, search

Validate outputs

Applications continually display outputs either based on, or containing user inputs. Just as important it is to validate data coming into an application, it is necessary to validate outputs to other users.

  1. The application must encode data when it is outputted so that it does not represent an alternate meaning. Specifically
    1. All outputs that are derived from user data should be HTML encoded to avoid cross-site scripting vulnerabilities, amongst other potential attacks.
  2. When error messages are generated, they should not disclose internal application information, or other sensitive data.

This category currently contains no pages or media.