Should one sanitize the SMS text command that the user texts via phone

Question

I have a general question. Should we normally sanitize the SMS text command that the user inputs via their phone for which we send the response? If yes should we sanitize right away i.e. as soon as it comes? Any ideas for the ways that this can be done in asp.net V4.5/MVC? I am using Twilio. Does Twilio Helper have any APis to do this?

Answer 1

Should we normally sanitize the SMS text command that the user inputs via their phone for which we send the response?

I'm assuming you mean "send to the response", as in Response object in ASP.NET?

Like all input to your application, you should properly encode it when output to the response. You can usually store it in raw, unencoded format in your database, but if this is output to HTML or JavaScript then it should be encoded properly.

e.g. If the " character is output into HTML, then you should encode this as " at the point of output. In MVC, this is automatically done by Razor using the @variable syntax. In classic MVC, the syntax is <%: variable%> (never use <%=variable%> as this will not encode).

If output to JavaScript then it should be hex entity encoded, so " becomes \x22. You can do this in MVC using @Html.Raw(HttpUtility.JavaScriptStringEncode(variable)) (this example is using Razor).

Check out the OWASP XSS Prevention Cheat Sheet for tips on how to encode correctly depending on output context.