You need both. Sometimes the legit input is HTML such as from rich text editors. In those cases if someone types a bold <script> then the form should submit the escaped <b><script><b> but also needs to sanitise to make sure that other HTML element types are not present.
If you escape one step further you'll lose formatting or the message, so sanitisation is important too, it is reductive to say "always escape never sanitise".
kolme|10 years ago
"<script>" might be a legitimate input.
eterm|10 years ago
If you escape one step further you'll lose formatting or the message, so sanitisation is important too, it is reductive to say "always escape never sanitise".