@MichaelQuad Two reasons. 1) The transmitter doesn't know what additional characters the receiver will find unsafe, they can only guess. What if the receiver needs to escape characters the transmitter did not anticipate? 2) How do you know for sure the transmitter did their escaping? For these reasons, the receiver has to validate and escape as well; why should the transmitter do extra work if the receiver has to do it, and can do it better? This applies to all input; never trust input. Trusting input invites things like SQL injection attacks.
↧