if you are using it at the client, sure, but then why is the server involved? if... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		dylan604 3 months ago \| parent \| context \| favorite \| on: Element: setHTML() method if you are using it at the client, sure, but then why is the server involved? if you are sending it to the server, you need to treat it like it is always coming from a hacker with very bad intentions. i don't care where the data comes from, my server will sanitize it for its own protection. after all, just because it left "clean" from your browser does not mean it was not interfered with elsewhere upstream TLS be damned. if we've double encoded something, that's fine, it won't blow up the server. at the end of that day, that's what is most important. if some double decoding doesn't happen correctly on the client, then <shrugEmoji>

padjo 3 months ago [–]

Yeah as an Irish person with an apostrophe in their name this attitude is why my name routinely gets mangled or I get told my name is invalid.

You don’t escape input. You safely store it in the database and then sanitize it at the point where you’re going to use it.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact