Input validation should happen as early as possible in the data flow, preferably as soon as the data is received from the external party.
I don't want to be writing 50 lines of code when i could do the job in 10 lines..that makes sense :p Any help would be appreciated, thanks!
I should mention that there is another form of XSS that exploits neither flaws in the client (the browser) nor flaws in the server (the application) but flaws in the user. However, if the data is stored on the server or reflected from the server, then the server is assisting in the vulnerability.
This is often called Self-XSS, and exploits the willingness of a inept user to execute Java Script he has copied and pasted from the Internet and into his browser's developer tools console, solely on base on the promise that against all hope, it will magically allow him to read his ex-girlfriend's Facebook posts despite the fact she has unfriended and blocked him. IE8 introduced X-XSS-Protection, which made reflected attacks more difficult to exploit.
start date is before end date, price is within expected range).
It is always recommended to prevent attacks as early as possible in the processing of the user’s (attacker's) request.