Do I need output escaping if I sanitize all inputs?

StackOverflow https://stackoverflow.com/questions/21086587

Frage

I'm developing a web application using nodejs and need to escape outputs. I also sanitize all the input and remove any script and /script tags and all codes between them. Which parts of output should be escaped and is there any module for it?

War es hilfreich?

Lösung

For the most parts, you actually shouldnt sanitise the input for a specific case. Try storing it unsanitized (dont strip anything), then do it when you output things.

This way, you can always use the submitted data for any other form of presentation, not only HTML. If the user submits a < you shouldnt store &lt;. Also, when sanitizing the output you are 100% sure its done.

Lizenziert unter: CC-BY-SA mit Zuschreibung
Nicht verbunden mit StackOverflow
scroll top