An application needs to handle input and output of untrusted data carefully. As the case may be, values have to be escaped, filtered, validated or sanitized. There often seems to be a sloppy and interchangeable use of these terms although they are obviously not all equivalent.
I'm looking for a clarifying overview about the differences and the correct usage in a security context.
Escaping. Converting a control character to its escape sequence. For example, a < symbol may be converted to < so that the characters following the < are not interpreted as an XML tag instead of XML content.
Filtering. Like escaping, but instead of replacing the control character, it is simply removed.
Validated. Comparison of an input against a white list or regular expression to detect control characters or other character sequences that would trigger an unauthorized behavior. For example, an account number entered by a user might be validated against a list of account numbers known to be tied to the user.
Sanitized. A combination of escaping, filtering, and validation that ensures that an input to a system function does not trigger an unexpected and unauthorized behavior.
