Section
4.3.7
Top Level
Sub Level
General
Input should be converted to its canonical form before validation. Otherwise, attackers will be able to encode the data, allowing them to bypass validation.
Django
During validation, form fields will typically try to convert the input to a Python object, e.g. unicode string, integer, etc. Once a field has been validated, it can be assured that it is of the desired Python type.
PHP
Disable magic_quotes_gpc
. It has poor escaping logic, and can unnecessarily complicate the filtering process.