Is sanitization required for user input on alert messages?

Question

I have a webpage that accepts multiple file inputs. If the file size is too big or file type is not correct, I would like to display an alert to warn the user with something like:

FileName: Size exceeds 500kB.

Where FileName is the file name given by the user. I consider this a user input. Is there a need to do any sanitization here? And what would it be like?

Answer 1

As a rule of thumb I would always sanitize any user input. I know it may sound bad but basically, don't trust your users! That being said, I don't think there is an easy way to hack file inputs but obviously someone could upload a malicious file which normally comes in the form of an .exe or .zip both of which I would eliminate from being uploaded.

If I were you, I would check out validate.js, it offers client-side validation and is pretty simple to set up. You can specify what file types to accept and an upload size for file input.

As it stands you can echo back the filename without any worrying about sanitizing the filename.