# Input Validation and Output Encoding One-sentence definition: Accept only expected input and safely render output to prevent injections. ## Key Facts - Prefer allowlists; enforce schemas/types/lengths; server-side checks. - Contextual output encoding (HTML/attribute/JS/URL). - Use prepared statements/parameters; no string concatenation for queries. - Normalize/Canonicalize before validation when needed. - **Verify:** check official (ISC)² CBK and current exam outline. ## Exam Relevance - Distinguish validation (in) vs encoding (out). **Mnemonic:** “**Validate in, encode out**.” ## Mini Scenario Q: Reflected XSS—what broke? A: Missing output encoding in HTML context. ## Revision Checklist - Allowlist vs blocklist. - Four encoding contexts. - Normalization reason. ## Related [[Secure Database Access and SQL Injection Prevention]] · [[Web XSS Defenses and Content Security Policy (CSP)]] · [[SSRF Prevention and Server-Side Protections]] · [[Unsafe Deserialization and Object Injection]] · [[Domain 8 - Index]]