All output sent to the user must be checked for any potentially harmful content. Any unauthorized active content should not be allowed to be sent to the user whether it is from an internal database or any other source.
Output validation checks will protect against cross site scripting attacks. Where possible, the output should be checked to be sure it matches the exact output expected and does not contain a lot of extra characters.
Output Requirements Checks
The content should be checked for script so <script> tags should be screened and < and > tags should be screened to be sure that any tags being sent to the user are sent by intended sources.
Brackets, double quotes, and single quotes should be properly formatted to be viewable and so they cannot contain harmful content. In PHP the HTMLencode could be used to do this.
Check the length of the output to be sure it is not longer than is expected. This will prevent or limit data base dumps and other possible harmful output.
Look for characters or embedded content that may indicate a possible attack against a browser and notify an administrator.