Today I Learned - Rocky Kev

TIL the word Sanitize is too overloaded

POSTED ON:

TAGS: xss security language developer

In a quest to clean up some potential XSS opportunities on a website, I kept hitting into the 'Sanitize your inputs' rhetoric.

I agree with this post Sanitize Your Inputs? - Kevin Smith, that the language is overloaded.

His proposal:

Instead of Sanitize --

IF YOU MEAN: "removing undesirable data while letting the good stuff through?"

RECOMMENDATION: "filtering"

IF YOU MEAN: "converting potentially harmful data into a harmless form"

RECOMMENDATION: “Escaping” user-supplied data — and making sure it only happens on output — is the way to go.

IF YOU MEAN: Flat-out rejecting a request when any invalid data is detected?

RECOMMENDATION: Opt for “validation” instead.

IF YOU MEAN: To protect the database from malicious input?

RECOMMENDATION: Remember that the only reliable solution is using prepared statements.

Related TILs

Tagged: xss

TIL executing a xss using a SVG image

This user was able to upload a '.svg', that then executed a xss attack to steal local storage data.

TIL How to steal localData using an XSS attack

But that's just a red flag that opens the door to bigger issues.

TIL the word Sanitize is too overloaded

Sanitize means too different things, depending on context. Use Filtering, Escaping, Validation, or Protect instead.