jdMorgan - 2:31 pm on Mar 4, 2010 (gmt 0)
It's hard to tell exactly what they meant by "Improper Encoding or Escaping of Output," but as long as Web coders abide by the philosophy implied by your above post on input validation, then output encoding for input to a script or database should not be so much of a problem.
The basic philosophy for input validation must be, "specify what you are willing to accept, rather than trying to reject what you are not willing to accept."
While these two approaches may initially seem to be mirror-images of each other, the consequences can be quite different if you forget to include something in each method's "list" -- If you forget to include something in your "accept" list, then you'll find that problem early-on in the debug stage. If you forget to include something in your "reject" list, then you may not find that error until you're investigating a successful hack.