Review the use of validateInput. Considerations:

• For some fields (eg: SshKey::description), validateInput might reject characters that are otherwise valid.
• In general, fields should be filtered on output.
  • Output includes HTML rendering, REST API, and provisioning.
• In general, SQL injection protection should be handled by Cake.
• Field validation should be aligned with the field content.
  • eg: Email Addresses should be constrained to characters valid for email addresses.
• Proactive input validation might be more important for self service enabled fields than for fields that are only editable by an administrator, especially platform and CO administrators.