Best practices for application security implementation

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

This question is related to best practices for application design. My
hypothetical application integrates with other applications through
interfaces (file uploads, downloads, XML exchange etc). Online users
connect to this application using Internet Explorer. Application
database is also used to create reports etc.

We have three approaches, not-necessarily conflicting, prototyped and
ready for implementation. We want a peer feedback on what is done by

Our options are
1.    Capture bad characters at input and reject. Bad data will not be
stored in application for processing.(e.g. any input with scripting
characters will be captured and rejected) problem is that we will
also reject legitimate inputs
2.    Intercept input and strip out or encode bad characters before
storing in application. problem is that data stored in database is
not what use sent. In many cases legitimate inputs will get altered
because of use of such characters.
3.    Accept all inputs and persist to database. Encode output going to
browsers to make it harmless. Issue is that a malicious input (script)
will come to our application, and than may get passed to other peer
application. It may be ok as long as all applications take care to
immune themselves.

Please share your feedback on what options you will prefer.

Site Timeline