Josh Grossman

Ok so I am ok with this then: > Verify that the resource server only accepts access tokens that are intended for use with that service (audience). The audience may...

@vdbaan I think we may have missed the subtle points this requirement is trying to make. I think it is trying to make clear that input validation should be based...

I 100% agree. Can you suggest an alternative wording which makes it clear if your perspective but also makes it clear that all the violation of sanitization has to be...

Hi @jmanico, I saw the fix and was concerned that the original intention was not clear which is why I asked @vdbaan if he had an alternative suggestion

ok so @vdbaan any ideas? :)

Thanks @vdbaan, so when you say sanitisation, you are talking about a situation where HTML markup is allowed. In this case, you would say that a sanitiser such as DOMPurify...

Great spot @elarlang! Please can you take a look at my further change [here](https://github.com/OWASP/ASVS/pull/1258/commits/151379a5b97ee78314e079efe04ab44e9b281cd0) (I added the [MODIFIED] tag in a subsequent commit) and if you agree please approve #1258

So I would argue that the change solves your issue @elarlang since we are not promoting sanitizing the user input inside the input validation requirement but rather we are referring...

Ugh, so I think maybe we need to make it clear that input validation is a control based on business requirements rather than security requirements, i.e. what is the business...

Yeah happy to close this for now