Stack Overflow
Stack Overflow

Questions tagged [sanitization]

Data sanitization to prevent code injection

Data santization is used to prevent code injection problems, by secure input and output handling, such as:

  1. Input validation
  2. Selective input inclusion/exclusion
  3. Escaping dangerous characters. For instance, in PHP, using the htmlspecialchars() function (converts HTML tags to their ISO-8859-1 equivalents) and/or strip_tags() function (completely removes HTML tags) for safe output of text in HTML, and mysql_real_escape_string() to isolate data which will be included in an SQL request, to protect against SQL Injection.
  4. Input encoding
  5. Output encoding
  6. Other coding practices which are not prone to code injection vulnerabilities, such as "parameterized SQL queries" (also known as "prepared statements" and sometimes "bound variables" or "bound values").
  7. Modular shell disassociation from kernel
1083 questions
11
votes
2 answers

Sanitize string of regex characters before RegExp build?

I want to use a string to perform a global regex, but it might have regex characters in it. What's the best way to escape all regex characters in a string before building a regex with it? Basically I might have something like this; var test =…
Stephen Belanger
  • 6,251
  • 11
  • 45
  • 49
11
votes
1 answer

How do I sanitize LaTeX input?

I'd like to take user input (sometimes this will be large paragraphs) and generate a LaTeX document. I'm considering a couple of simple regular expressions that replaces all instances of \ with \textbackslash and all instances of { or } with \} or…
Conley Owens
  • 8,691
  • 5
  • 30
  • 43
11
votes
3 answers

Escape % symbol in a java string to apply String.format

In my project (Java/Play framework) I have an error handling routing that checks the response from a web service if the response is an error code, we display the corresponding error message saying what was the problem with the user input, the…
orlybg
  • 599
  • 1
  • 5
  • 15
11
votes
5 answers

Markdown and XSS

Ok, so I have been reading about markdown here on SO and elsewhere and the steps between user-input and the db are usually given as convert markdown to html sanitize html (w/whitelist) insert into database but to me it makes more sense to do the…
psb
  • 111
  • 1
  • 3
11
votes
3 answers

What is the correct way to make web form input safe for a variety of contexts?

What do you all think is the correct (read: most flexible, loosely coupled, most robust, etc.) way to make user input from the web safe for use in various parts of a web application? Obviously we can just use the respective sanitization functions…
Anonymous
  • 3,334
  • 3
  • 35
  • 50
10
votes
2 answers

How best to sanitize fields in ruby on rails

I currently have a controller capturing some html from TinyMCE on the front end. If I tinker with firebug it is possible to submit script tags and inject alert messages etc on to the screen. edit: Currently I am fixing this in the model by using the…
Chris
  • 6,076
  • 11
  • 48
  • 62
10
votes
6 answers

PHP: How to sanitize uploaded filenames?

I have a PHP application. I allow users to upload files to my web application. Question: What's the best way for me to sanitize the file names of the uploaded documents $_FILES["filename"]["tmp_name"] in PHP? UPDATE: Can I take an MD5 of the…
frooyo
  • 1,863
  • 3
  • 19
  • 21
10
votes
5 answers

CSS and JQuery: spaces inside image name break code of url()

I have a page that is supposed to display a larger version of an image when hovered over a thumbnail. I have a 'div' with an ID and the JQuery code is as following: $(document).ready(function(){ $('img').hover(function() { var src = $("#im"…
Shyam
  • 2,357
  • 8
  • 32
  • 44
10
votes
1 answer

Security of eval() with sanitized input

I want to use eval()to resolve simple equations and logical expressions, e.g. 12*(4+3). How safe is client side eval when the input (possibly untrusted) gets sanitized and only allows digits, +-*/()<>|&! and the words 'true' and 'false'? Available…
user3195878
  • 145
  • 6
10
votes
2 answers

$sanitize Custom Whitelist

The $sanitize service tells me that All safe tokens (from a whitelist) are then serialized back to properly escaped html string. I want to only display an even smaller subset of HTML (viz em,p,a, and strong). Is there a way to easily modify the…
Ian Hunter
  • 9,466
  • 12
  • 61
  • 77
10
votes
3 answers

Sanitizing SVG using PHP

I am creating charts on the fly as SVGs using d3.js. These charts are dynamically generated based on the selections of authenticated users. Once these charts are generated, the user has the option to download the generated SVG as a PNG or PDF. The…
Ale Exc
  • 135
  • 1
  • 8
10
votes
3 answers

HTMLPurifier : How to allow a single attribute without redefining the whole whitelist

I'm using HTMLPurifier to sanitize HTML string (it's about security). Some attributes (like width or height) are removed when HTMLPurifier is called. I don't consider this as a security issue. How can I add this attribute without redefining the…
rap-2-h
  • 30,204
  • 37
  • 167
  • 263
9
votes
2 answers

Sanitize sentence in php

The title may sound odd, but im kind of trying to set up this preg_replace that takes care of messy writers for a textarea. It has to: if there is an exclamation sign, there should not be another one in a row. if there is a ., the comma wins and it…
Andres SK
  • 10,779
  • 25
  • 90
  • 152
9
votes
0 answers

How to Sanitize and validate Pojo in Http Post to pass a Checkmarx scan

I am using Spring MVC and I have an End Point having HTTP Method Post. @ResponseBody public ResponseEntity request(@RequestBody @Valid RequestPayload requestBody){ //Code } public class RequestPayload { private String op; private…
cody123
  • 2,040
  • 24
  • 29
9
votes
0 answers

Node.js: How do I protect against malicious image file uploads? I.e., how do I implement an image sanitizer in Node?

I am creating a web app using hapi.js that allows users to upload images. I am validating the uploaded images in both the client and server to only allow .jpg/.jpeg, .png, and .gif files. However, I am new to web application security and when it…
Samuel Earl
  • 351
  • 4
  • 10
1 2 3
72 73