Stack Overflow
Stack Overflow

Questions tagged [sanitization]

Data sanitization to prevent code injection

Data santization is used to prevent code injection problems, by secure input and output handling, such as:

  1. Input validation
  2. Selective input inclusion/exclusion
  3. Escaping dangerous characters. For instance, in PHP, using the htmlspecialchars() function (converts HTML tags to their ISO-8859-1 equivalents) and/or strip_tags() function (completely removes HTML tags) for safe output of text in HTML, and mysql_real_escape_string() to isolate data which will be included in an SQL request, to protect against SQL Injection.
  4. Input encoding
  5. Output encoding
  6. Other coding practices which are not prone to code injection vulnerabilities, such as "parameterized SQL queries" (also known as "prepared statements" and sometimes "bound variables" or "bound values").
  7. Modular shell disassociation from kernel
1083 questions
17
votes
2 answers

angular-translate sanitisation fails with UTF characters

On Angular 1.3.x with latest version of angular-translate. Using $sanitize it seems there are problems when using filter or service directly, but it works when using the directive. Suggestions? Here is an example: var myApp =…
fusio
  • 3,595
  • 6
  • 33
  • 47
17
votes
10 answers

PHP - HTML Purifier - hello wrld/world tutorial striptags

I am just looking into using HTML Purifier to ensure that a user-inputed string (that represents the name of a person) is sanitized. I do not want to allow any html tags, script, markup etc - I just want the alpha, numeric and normal punctuation…
JW.
  • 4,821
  • 5
  • 43
  • 60
16
votes
5 answers

.NET libraries to sanitize input?

Are there any thoroughly tested .NET libraries out there to sanitize input from things like script/sql injection?
TWA
  • 12,756
  • 13
  • 56
  • 92
16
votes
3 answers

Sanitize $_GET parameters to avoid XSS and other attacks

I have a website in php that does include() to embed the content into a template. The page to load is given in a get parameter, I add ".php" to the end of the parameter and include that page. I need to do some security check to avoid XSS or other…
Federico klez Culloca
  • 26,308
  • 17
  • 56
  • 95
15
votes
2 answers

Secure XSS cleaning function (updated regularly)

I've been hunting around the net now for a few days trying to figure this out but getting conflicting answers. Is there a library, class or function for PHP that securely sanitizes/encodes a string against XSS? It needs to be updated regularly to…
zuallauz
  • 4,328
  • 11
  • 43
  • 54
15
votes
1 answer

When is filter_input() used versus filter_var()?

I traditionally use a filter_var() function for sanitizing $_GET and $_POST data, such as: $foo = filter_var($_GET['foo'], FILTER_SANITIZE_NUMBER_INT); but PHP also has a function filter_input(), which has a different syntax to accomplish the…
Sablefoste
  • 4,032
  • 3
  • 37
  • 58
15
votes
4 answers

Javascript XSS Prevention

There is a Node.js project that sanitizes data and there is an OWASP library for JavaScript that handles sanitization to prevent XSS. I have been benchmarking these libraries, and they are pretty intensive and maybe an overkill, my application does…
onlineracoon
  • 2,932
  • 5
  • 47
  • 66
15
votes
5 answers

How to allow specific characters with OWASP HTML Sanitizer?

I am using the OWASP Html Sanitizer to prevent XSS attacks on my web app. For many fields that should be plain text the Sanitizer is doing more than I expect. For example: HtmlPolicyBuilder htmlPolicyBuilder = new…
ams
  • 60,316
  • 68
  • 200
  • 288
14
votes
2 answers

PHP - Is this a safe way to allow user-supplied regular expressions

I would like to allow small user-defined regular expressions to be submitted for testing. However, there are many problems to consider from run-away server usage to more evil eval() usage. To my knowledge I have handled all the problems I could…
Xeoncross
  • 55,620
  • 80
  • 262
  • 364
13
votes
2 answers

How to install, import and use DOMPurify in frontend js file?

This is more of a "can you please confirm this is correct" type of question, as I think I resolved it in the process of writing the question but hopefully it will be of help to other people who are a bit hesitant when it comes to implementing…
user1063287
  • 10,265
  • 25
  • 122
  • 218
13
votes
2 answers

what is the difference between sanitizing and validation in php?

I am a beginner PHP developer who was working with an issue regarding PHP script injection. Fortunately PHP has functions like filter_var and strip_tags which did the job perfectly for me. But I don't understand the difference between the terms…
user5292425
13
votes
3 answers

Python Input Sanitization

I need to do some very quick-n-dirty input sanitizing and I would like to basically convert all <, > to <, >. I'd like to achieve the same results as ''.replace('<', '<').replace('>', '>') without having to iterate the…
notorious.no
  • 4,919
  • 3
  • 20
  • 34
12
votes
3 answers

Sanitize table/column name in Dynamic SQL in .NET? (Prevent SQL injection attacks)

I am generating some Dynamic SQL and would like to ensure that my code is safe from SQL injection. For sake of argument here is a minimal example of how it is generated: var sql = string.Format("INSERT INTO {0} ({1}) VALUES (@value)", tableName,…
user166390
11
votes
5 answers

What Unicode characters are dangerous?

What Unicode characters (more precisely codepoints) are dangerous and should be blacklisted and prohibited for the users to use? I know that BIDI override characters and the "zero width space" are very prone to make problems, but what others are…
federico-t
  • 12,014
  • 19
  • 67
  • 111
11
votes
5 answers

PHP Santizing/Validating Array of Integers

I have the following array and would like to know what the best way would be of validating and santizing this array to make sure only integers are allowed? if(is_array($_POST['taxonomy'])) { $term_ids = array_map('esc_attr',…
daveaspinall
  • 1,395
  • 1
  • 17
  • 28
1 2 3
72 73