[hinkley]

To avoid doxxing myself: In a deep call stack it’s possible to end up sanitizing inputs multiple times and in different ways.

A frequent example I’ve encountered is web frameworks that have to keep checking for escaped text because they didn’t write it in horizontal layers where you know for sure that all inputs have been scrubbed when they reach this function but not that one. So the same functions get called with data that comes from your team and from customers. Reuse is tricky.

[hamburglar]

“Checking for escaped text” is the sort of nonsense that tells you you’re dealing with amateur developers.

[withinboredom]

Indeed. The rules are simple:

- Unescape, sanitize or validate at all entry points.

- Escape all outputs (this includes the database queries).

If you follow those simple rules, you never have to check once you are past a controller. And you should fuzz your controllers to make sure no unexpected data makes it past there.

[hinkley]

Thing about taking a job is they don’t generally let you look at the code first and nope out if it’s fucked six ways to Sunday.

Everyone has clever answers for greenfield projects and empty rhetoric for brown.