I’m not sure why you people are being so hard headed. He didn’t say that he didn’t ALSO fix the sanitizer. But like all things in web security adding the HttpOnly flag raises the bar. Why not do it? He isn’t advocating using HttpOnly in lieu of other good security measures.
As for sanitizing input verses output I prefer to sanitize output. There are too many other systems downstream that are impacted by sanitizing the input. I write enterprise systems, not forums. There is a big difference. I can’t pass a company name of Smith%32s%20Dairy to some back end COBOL system. They wouldn’t know what to do with it.
For those of you that decide to sanitize your input, it must be nice to write web applications that live in a vacuum…