From 561c5353152fe4537304103d94516cd06c94f073 Mon Sep 17 00:00:00 2001 From: geeeyetee Date: Thu, 2 Mar 2017 22:38:31 -0500 Subject: [PATCH] Update cross-site-scripting.md (#2873) --- aspnetcore/security/cross-site-scripting.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/aspnetcore/security/cross-site-scripting.md b/aspnetcore/security/cross-site-scripting.md index 8f18027532..1d38120233 100644 --- a/aspnetcore/security/cross-site-scripting.md +++ b/aspnetcore/security/cross-site-scripting.md @@ -219,7 +219,7 @@ Safe list ranges are specified as Unicode code charts, not languages. The [Unico > [!NOTE] > Customization of the safe list only affects encoders sourced via DI. If you directly access an encoder via `System.Text.Encodings.Web.*Encoder.Default` then the default, Basic Latin only safelist will be used. -## Where encoding should take place? +## Where should encoding take place? The general accepted practice is that encoding takes place at the point of output and encoded values should never be stored in a database. Encoding at the point of output allows you to change the use of data, for example, from HTML to a query string value. It also enables you to easily search your data without having to encode values before searching and allows you to take advantage of any changes or bug fixes made to encoders.