(AD) Sponsored links
This site is build on openstandards with opensource software and an openmind. That is why all content is licenced under the open content licence.
Never trust data, no matter what the source is
Drupal evolved towards this from a blog alike system 10 years ago, a content type with user generated comments below. Back then everybody knew that you should filter User Generated Content and stripe the HTML if you cared about the site. Many other systems up to today however do not filter UGC good enough; user signups, search input and many other ways a user can give input ot the system.
Now Drupal is talking to other systems, combining data from multiple sources, devs still need to understand that one should ***never*** trust input data, no matter if the source is another database or a user.
Because, what could possibly go wrong with just displaying this data directly or injecting it in the database? Why should you "checkplain" the TXT fields in zone of a domain? Why?