what does it mean to "sanitise" state/redirect urls?

[jogu]

https://drafts.oauth.net/oauth-v2-1/draft-ietf-oauth-v2-1.html#section-7.11 says:

A code injection attack occurs when an input or otherwise external variable is used by an application unsanitized and causes modification to the application logic. This may allow an attacker to gain access to the application device or its data, cause denial of service, or introduce a wide range of malicious side-effects.¶

The authorization server and client MUST sanitize (and validate when possible) any value received -- in particular, the value of the state and redirect_uri parameters.¶

I don't really know what "sanitize" means here. I don't think it would be correct for an AS to remove some characters from state because it decided it didn't like them - the only sane option seems to be to reject the request.

(From a discussion on today's FAPI WG call)