Validação de input versus codificação

Uma discussão muito interessante sobre isso em:

Input Validation - Not That Important no blog manicode

O post começa por dizer que validar o input é menos importante do que codificá-lo:

When I bring up almost any category of web application injection attacks, most folks in the field almost instinctively begin talking about "input validation". Sure, input validation is important when it comes to detecting certain attacks, but encoding of user-driven data (either before you present that data to another user, or before you use that data to access various services) is actually a great deal more important for truly stopping almost any class of web application injection attack.

mas depois há uma interessante discussão com argumentação a favor da validação:

Encoding is the best way to protect against injection based attacks, as it is always safest to make sure the content you are handing off elsewhere is well formed and safe (...)
Input validation is the best way to protect your own app and its logic, while output encoding/sanitization is the best way to protect components you communicate with (clients, other servers, the system you are one, etc).

que redunda no post:
Output Sanitization no blog Analytical Engine

Um caso interessante é o da second-order injection que creio não ser resolvido pela codificação.