Why is allowlist validation preferred over denylist, and what role does canonicalization play?

Allowlist (positive) validation defines exactly what is acceptable and rejects everything else; denylist (negative) tries to enumerate what's bad — which always loses because attackers find encodings, edge cases, and bypasses the blocklist didn't anticipate (e.g. blocking <script> misses <img onerror>). Allowlisting fails closed and is far more robust. Canonicalization is the critical prerequisite: you must convert input to a single, normalized form before validating, because the same value has many representations (URL-encoding, double-encoding, Unicode normalization, ..%2f, mixed case, alternate path separators). If you validate before canonicalizing, an attacker smuggles a payload past the check that later decodes into something dangerous. Rule: canonicalize first, then allowlist-validate, then use — and remember input validation is defense-in-depth, not a substitute for context-aware output encoding/parameterization at the sink.