Theme and sub-theme

• Any input that can be controlled or influenced by a user (or attacker) must be validated carefully. Period.

• • Validation should use whitelists, not blacklists

• Browsers do not generate very much hostile traffic, programs do. Expect the unexpected.

• • Javascript validation is not sufficient