Stack Overflow
Stack Overflow

Questions tagged [sanitization]

Data sanitization to prevent code injection

Data santization is used to prevent code injection problems, by secure input and output handling, such as:

  1. Input validation
  2. Selective input inclusion/exclusion
  3. Escaping dangerous characters. For instance, in PHP, using the htmlspecialchars() function (converts HTML tags to their ISO-8859-1 equivalents) and/or strip_tags() function (completely removes HTML tags) for safe output of text in HTML, and mysql_real_escape_string() to isolate data which will be included in an SQL request, to protect against SQL Injection.
  4. Input encoding
  5. Output encoding
  6. Other coding practices which are not prone to code injection vulnerabilities, such as "parameterized SQL queries" (also known as "prepared statements" and sometimes "bound variables" or "bound values").
  7. Modular shell disassociation from kernel
1083 questions
9
votes
4 answers

Do i need to sanitize input if using prepared PHP/MySQL queries?

Given the following piece of code, Do i need to escape and sanitize $city?
Gary Willoughby
  • 50,926
  • 41
  • 133
  • 199
9
votes
5 answers

Good way to sanitize input in classic asp

I have to update old projects at work. I do not have any experience with classic asp, although i'm familiar with php scripting. Are there any functions I should use? Can you provide me with a good function for some basic protection? Is there…
Sander Versluys
  • 72,737
  • 23
  • 84
  • 91
9
votes
1 answer

Angular DomSanitizer - SecurityContext.NONE

Official Angular Security Guide speaks about 4 security contexts: HTML, Url, Style and Resource Url. Each one is responsible for sanitizing corresponding type of resource. In addition, there are 5 methods (per resource type) in DomSanitizer service …
JeB
  • 11,653
  • 10
  • 58
  • 87
9
votes
3 answers

Angular 2 disable sanitize

I am trying to render base64 string into
Maris
  • 4,608
  • 6
  • 39
  • 68
9
votes
3 answers

Sanitizing PHPSESSID

I'm passing PHPSESSID to a PHP page (via POST) and I was wondering what's the best way of sanitizing the input. Would mysql_real_escape_string suffice? Is there anything special I should take into account when dealing with session IDs (I mean, they…
nico
  • 50,859
  • 17
  • 87
  • 112
9
votes
1 answer

Angular 2+ Sanitize Form Input for XSS attacks

I am developing a web application using Angular2 Beta. My forms include simple Text fields and Text areas which accept input from the user and the data is displayed back in the application. These fields are not meant to take any HTML input and…
Bhargav
  • 871
  • 1
  • 13
  • 24
9
votes
4 answers

PHP - remove http/www from message (except for the host domain) to disable clickable links

I have a simple message board, let's say: mywebsite.com, that allows users to post their messages. Currently the board makes all links clickable, ie. when someone posts something that starts with: http://, https://, www., http://www.,…
NonCoder
  • 235
  • 4
  • 10
9
votes
1 answer

Usage of esc_url, esc_html, esc_attr ... functions

When are definitely needed or for a good practice to use escaping functions? Such as using esc_url(); with: get_template_directory_uri(); get_permalink(); get_author_posts_url(); get_edit_post_link(); wp_get_attachment_url(); And esc_html();…
Stickers
  • 75,527
  • 23
  • 147
  • 186
8
votes
4 answers

to_sentence and html_safe, together?

Here's the string I want: Baxter and Sofia Here's the code I'm using to output that: <%= @pugs.collect {|p| link_to(p.name, pug_path(p))}.to_sentence %> Unfortunately the output is getting…
Shpigford
  • 24,748
  • 58
  • 163
  • 252
8
votes
6 answers

Filtering JavaScript out of HTML

I have a rich text editor that passes HTML to the server. That HTML is then displayed to other users. I want to make sure there is no JavaScript in that HTML. Is there any way to do this? Also, I'm using ASP.NET if that helps.
Stephen Lacy
8
votes
5 answers

Sanitizing HTML input

I'm thinking of adding a rich text editor to allow a non-programmer to change the aspect of text. However, one issue is that it's possible to distort the layout of a rendered page if the markup is incorrect. What's a good lightweight way to sanitize…
James P.
  • 19,313
  • 27
  • 97
  • 155
8
votes
1 answer

Is HTML5's contenteditable attribute supposed to be XSS safe?

I have read the somewhat related question div contenteditable, XSS, but its answers do not highlight much about the XSS saftey of contenteditable. In particular with regards to accidental (as compared to intential cross-site-scripting). I am, of…
humanityANDpeace
  • 4,350
  • 3
  • 37
  • 63
8
votes
1 answer

PHP: How to sanitize a natural number (positive INT)?

From PHP sanitize filters list there is one option to sanitize integers: FILTER_SANITIZE_NUMBER_INT - Remove all characters except digits, plus and minus sign. If we use: filter_var($var2San, FILTER_SANITIZE_NUMBER_INT); This will clean dots .…
Armfoot
  • 4,663
  • 5
  • 45
  • 60
8
votes
3 answers

Secure Python Markdown Library

I'd like to enable users to leave rich text comments, possibly using markdown. I've installed the libraries used on Reddit, but am concerned about the javascript injection attack which occurred last year, especially since I'm still not clear on the…
MichaelBlume
  • 228
  • 1
  • 6
8
votes
2 answers

Convert multiline plain text to HTML paragraphs with AngularJS

I'm getting a multiline plain text from my backend. For example: Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nunc porta velit ut nunc pretium, quis auctor nunc placerat. In quis porta neque. Fusce dapibus faucibus mi…
Slava Fomin II
  • 26,865
  • 29
  • 124
  • 202
1 2 3
72 73