Input validation - prefer a allowlist approach. However there are situations where allowlist is not possible and for those cases, denylist can be used. Also make sure to encode the output, based on the context. So if the user input is going into html, then do hfml encoding of the data and so on