1

I have a React application which has a form input. The user will fill out this form and once finished this data will be sent via POST request to a service (Spring Boot app) which will persist the data. The web app also has a search function and will send query params via GET request to the same Spring Boot app.

I am sanitizing the data when it is received in the Spring Boot application using a Filter.

My question is, since the server side is validating the data and stripping out possible XSS attack code, is it necessary to sanitize data inputted into the form on the React app side too? If so, would I do this just before the API call is made? i.e. have code to strip out dangerous characters before the data is added to POST payload, or as soon as data is read in from input text fields?

I have read numerous posts online and answers here on SO. I understand that it seems most important to validate on the server side since client code can't be trusted. The thing I am not clear on is since the client code is accessible to any possible attacker, can't they just bypass any validation mechanism on the client side making it pointless to add on the client in the first place? The only advantage I can see right now is detecting dangerous input as early as possible.

Thanks

sam
  • 2,469
  • 8
  • 37
  • 57

2 Answers2

0

It is useless to do client side sanitisation - is wasting of time and giving false feeling of security for developers. If you want to do sanitisation of input(arguably it is not necessary, if your clients encode output), you have to do it on the server anyway.

“The only advantage I can see right now is detecting dangerous input as early as possible.”

The experience hacker will bypass client validation anyway. You should not put effort to provide naive hacker a feedback as early as possible :)

If you backend uses .Net, see AntiXSS in ASP.Net Core

Michael Freidgeim
  • 26,542
  • 16
  • 152
  • 170
-1

Its not pointless to do client-side validation - for one, its good UX - you should never allow a user to enter invalid data into input fields otherwise they will be presented with a litany of server-side error messages after submission.

Secondly it can deter casual attackers who may just want to see what happens if they enter ' into the username field... (a sql injection attack). But who otherwise may not be bothered to get out a web proxy and start a full-on attack.

jsdeveloper
  • 3,945
  • 1
  • 15
  • 14
  • Ok, so say for the search input. Would you recommend I add a regex so that only alphanumeric characters are accepted or would it be better to sanitise the data when it is set as a parameter in the API call? – sam Mar 20 '19 at 23:13
  • 1
    I would recommend restricting the input (using regex if necessary) as much as possible. You can use the same regex to double check before the api call. – jsdeveloper Mar 20 '19 at 23:18
  • It is useless to do client side sanitisation - is wasting of time and giving false feeling of security for developers. If you want to do sanitisation, you have to do it on the server – Michael Freidgeim Jan 18 '23 at 12:04
  • “ you should never allow a user to enter invalid data into input fields” if you have known validation rules, you should implement field validation, which is different to sanitisation. – Michael Freidgeim Jan 18 '23 at 12:28