I have always found it more logic to validate input instead of filtering it. How to appropriately filter data depends on the situation, so IMO it should be done in output or when saving to a database.
But I see that some frameworks provide automatic XSS filters for incoming POST and GET data. What is the logic behind this solution? I can’t see any advantages in doing this except providing a quick and easy solution to “lazy” developers.
Or is there some specific security reason I don’t understand?
2
I wouldn’t say frameworks provide XSS filtering because developers are “lazy.” They do it so developers can focus on the creating code specifically for their application. A developer’s job is hard enough handling the (sometimes) baffling business rules applications have to enforce.
Let’s say you were an expert carpenter. Given enough time you can build anything. You have a job to redo someone’s kitchen. Should you spend a good chunk of time making the best hammer in the world? Or, should spend your time redoing the kitchen and use the $20 hammer you can pick up at Lowe’s?
The company that makes hammers focuses all their energy on making the best hammers they can. The people who make the frameworks focus their energy on making the best frameworks they can. They can spend their time testing and retesting that code because that is what they focus on. When you have to roll your own you may miss something or create a bug you could never think of. Sometimes you have to create your own hammer (or code) to meet a very specific need, but hopefully that is few and far between.
2
My preference is to always validate input and filter output. Filtering input will often save time and help the lazy, but it’s always possible your output filtering will need to change or you’ll want to analyze the raw data for security or statistical reasons.