Section
4.4.2
Top Level
Sub Level
General
Output from untrusted sources (that has not already been encoded) should be encoded before it is sent to the user's browser, as this will neutralize any client-side "code" that might have been surreptitiously inserted within the data.
Django
Untrusted data will be auto-escaped in the templates. When appropriate, auto-escaping can be turned off. In code there is also thedjango.utils.safestring.mark_safe() function that can be called on variables passed to a template.
Natural Webagent
At the top of every .wbs or .wbh that displays output, insert the following line immediately following end-define:
move *encode.html_output_encoding to *encode.mode
Encoding can also be explicitly switched off. For more details on entity encoding, see this TechLounge article.
.NET
The Server.HtmlEncode() method can be used to convert HTML characters to a string representation a browser will not execute.