Hacker News new | ask | show | jobs
by arenaninja 4292 days ago
This is only too true! At work we do CRUD projects, which means user input gets stored in the database. I almost always break other people's work by adding HTML tags to the inputs, navigating back to the page, and seeing markup that shouldn't be there. Even database output needs to be sanitized
2 comments
peterwwillis 4292 days ago
Database output is application input. All forms of input need to be sanitized, period.
link
dspillett 4291 days ago
Same here. It is surprising how many times I've done that over the years and people are both surprised how easy it was but easily convince themselves that "it'll be all right" somehow and they'll fix it later...
link