8 Matching Annotations
- Oct 2020
-
github.com github.com
-
By default all content inside template strings is escaped. This is great for strings, but not ideal if you want to insert HTML that's been returned from another function (for example: a markdown renderer). Use nanohtml/raw for to interpolate HTML directly.
-
-
www.onwebsecurity.com www.onwebsecurity.com
-
Yet it can be deceivingly difficult to properly encode (user) input
They were talking about output encoding but then switched to input encoding? Did they really mean to say input encoding here?
-
When processing untrusted user input for (web) applications, filter the input, and encode the output.
-
- May 2020
-
docs.gitlab.com docs.gitlab.com
-
Encoding API parameters of array and hash types
Tags
Annotators
URL
-
- Apr 2020
-
security.stackexchange.com security.stackexchange.com
-
You don't "sanitize your output" you encode it for proper context within the application it is being presented. You encode the output for HTML, HTML Attribute, URL, JavaScript
-
When you output the data, you know the use case of the data. This knowledge allows you to safely sanitize the output data accordingly.
-
I would call this output encoding instead of sanitization
-
-
wpvip.com wpvip.com
-
1- Validation: you “validate”, ie deem valid or invalid, data at input time. For instance if asked for a zipcode user enters “zzz43”, that’s invalid. At this point, you can reject or… sanitize. 2- sanitization: you make data “sane” before storing it. For instance if you want a zipcode, you can remove any character that’s not [0-9] 3- escaping: at output time, you ensure data printed will never corrupt display and/or be used in an evil way (escaping HTML etc…)
-