...
As with input validation, normalize data before filtering for malicious characters. To avoid vulnerabilities caused data that may bypass validation, we recommended recommend that all output characters other than those known to be safe should be encoded.
...