←back to thread

Element: setHTML() method

(developer.mozilla.org)
167 points todsacerdoti | 4 comments | 22 Oct 25 09:03 UTC | HN request time: 0.641s | source
Show context
dzogchen ◴[22 Oct 25 21:13 UTC] No.45675208[source]
Neat. I think once this is adopted by HTMX (or similar libraries) you don't need to sanitize on the server side anymore?
replies(1): >>45675272 #
dylan604 ◴[22 Oct 25 21:19 UTC] No.45675272[source]
Do you honestly feel that we will ever be in a place for the server to not need to sanitize data from the client? Really? I don't. Any suggestion to me of "not needing to sanitize data from client" will immediately have me thinking the person doing the suggesting is not very good at their job, really new, or trying to scam me.

There's no reason to not sanitize data from the client, yet every reason to sanitize it.

replies(4): >>45675347 #>>45675432 #>>45675693 #>>45676358 #
1. strbean ◴[22 Oct 25 21:31 UTC] No.45675432[source]
It can be a complicated and error-prone process, mainly in scenarios where you have multiple mediums that require different sanitizers. Obviously you should do it. But in such scenarios, the best practice is to sanitize as close to the place it is used as possible. I've seen terrible codebases where they tried to apply multiple layers of sanitization on user input before storing to the DB, then reverse the unneeded layers before output. Obviously this didn't work.

Point being, if you can move sanitization even closer to where it is used, and that sanitization is actually provided by the standard library of the platform in question, that's a massive win.

replies(2): >>45675650 #>>45676516 #
2. immibis ◴[22 Oct 25 21:55 UTC] No.45675650[source]
By "sanitise" what's really meant is usually "escape". User typed their display name as <script>. You want the screen to say their display name, which is <script>. Therefore you send &lt;script&gt;. That's not their display name - that's just what you write in HTML to get their display name to appear on the screen. You shouldn't store it in the database in the display_name column.
replies(1): >>45675922 #
3. strbean ◴[22 Oct 25 22:23 UTC] No.45675922[source]
Agreed. The codebase I'm thinking of was html encoding stuff before storing it, then when they needed to e.g. send an SMS, trying to remember to decode. Terrible.
4. dylan604 ◴[22 Oct 25 23:36 UTC] No.45676516[source]
You're making a bad assumption that client side code was the last place the submitted string was altered in the path to the server. The man in the middle might have a different idea and should always be protected against on the server where it is the last place to sanitize it.