Hacker News new | ask | show | jobs
by Someone1234 2523 days ago
Sanitization of the text input (e.g. < becomes &lt;, > becomes &gt;, etc). This is automatic/implicit on a lot of modern web frameworks (since text and Html are distinct types and output to a page are treated differently, with text sanitization being implied unless you opt out).

You shouldn't ever be running untrusted JavaScript. Content Security Policy and similar are just extra layers of protection if you mess up.
1 comments
outworlder 2522 days ago
Not the input, the output. There are some good comments on this thread about the distinction.

Case in point: the owner altered the vehicle's name using the vehicle's own UI (which is probably not browser based). That input gets stored in the database. Then another system, web-based, wants to display it. If you don't encode the output, you'll be exposed.

Never trust that the input is properly encoded. HTML encode it before display, always.

link
Someone1234 2522 days ago
This pedantism only makes sense if you stop reading five words in, ignore the rest of that same sentence, and ignore the context.

I'm not going to address it because it wasn't made in good faith and adds no value to the actual (rather than imagined) discussion.

link
indium21 2522 days ago
> pedantism

Sorry, I can't help myself: pedantry

link