• One of two fundamental security rules: (1) filter and validate all input; (2) escape output

• Always escape outside data unless previously filtered

• Typical output formats that require escaping when containing user data: html, json, sql

•  Never rely on client side (javascript) filtering

• Functions used to escape data before outputting within html: htmlspecialchars() htmlentities() strip_tags()