Reputation: 247
Sanitizing input that will later appear in HTML
I've got a <textarea> whose value is sent off to the server and stored in a database. This value is then later rendered on different pages in HTML.
What do I need to do to sanitize this? Just remove the HTML tags? (It's already SQL-injection safe because I'm using a stored procedure and parameters.)
Does anyone have a sanitize routine?
Upvotes: 3
Views: 1310
Answers (2)
Reputation: 171178
Do not sanitize input. Instead encode it when you output it. This is easy to enforce with the .net 4 features (<%: "" %>) or by code-reviewing.
Data should be stored in its native format. Human-readable text has as its native format just text, not some encoded version of it. You cannot easily manipulate encoded text (say doing highlighting of words or replaces).
Not encoding text in the database even saves a little storage space.
Sanitizing input is hard anyway. It is very hard to do more than just encoding everything. Blacklisting HTML tags is a certain way to forget something so don't do it.
Upvotes: 2
Reputation: 282805
Either remove the tags completely, or replace any special characters such as < and > with their HTML entities (<). Whatever server-side language you're using probably already has a function to do this. PHP's htmlspecialchars or strip_tags will do the trick, for example.
Upvotes: 0
Related Questions
- Sanitizing user input before adding it to the DOM in Javascript
- Sanitizing HTML input value
- Javascript Form Sanitization
- sanitize user input on client side using javascript
- Sanitizing html string with javascript using browser to interpret html
- Sanitize innerHTML in javascript
- Sanitizing user input when creating HTML elements
- how to remove html and javascript from input field before sending to server
- How Do I Sanitize JS eval Input?
- Sanitize input for code blog