|
|
|
|
|
|
by ta1636467
1465 days ago
|
|
|
Sanitize when rendering the HTML, all other paths lead to hell. I agree with granddaddy, the web just didnt cater for this with all the XSS, XSRF etc shennigans. We're left with everyone implementing hacks, or in some cases, getting it right. Mud pie. Slap on an extra dollop. |
|
|
I didn't mean mangle user input when storing. I mean you can do that if you want to parse it and store it as a semantic subset to deliver to the devices that can't render HTML (yes they exist), but I digress.
You can sanitize any piece of HTML to a meaningful subset when rendering (well, before render, if you are doing on the server-side) with virtually any language by choosing among many solid libraries.