I have a problem with restricting malicious content in a field which can accept any input from the user.
I have to encode that field and save it in the database - see examples:
1st example
<space> is saved as <space>
2nd example (malicious text)
"><svg/onload=prompt(1)>
is saved as "><svg/onload=prompt(1)>
Now in reports I have to decode that into actual text, but the second text is malicious script now. What should I do?
Is there any other way to stop malicious text on both client and server side?