For example:
Regarding preventing XSS attacks, should HTML encoding be performed when user input? HTML encoding when outputting the page? Which solution is better?
Personally, I feel that it is more convenient to encode when inputting, because there will be more pages with output content, and it is easy to miss when encoding every time. However, in actual applications, it seems that encoding when outputting is more convenient?
![[Web front-end] Node.js quick start](https://img.php.cn/upload/course/000/000/067/662b5d34ba7c0227.png)
For xss filtering, remember,
must be filtered on the server side! ! ! ! ! ! !
Be sure to filter when outputting! ! ! ! !
Server side: Write the escape of the library and escape when displaying
I usually escape when typing to prevent SQL injection