PSA: You should sanitize user input

If I had a nickel for the amount of chat rooms I've used that simply don't sanitize, well, I'd have at least 15 cents. That's not a lot of nickels, but it's 3 nickels too many.

What even is sanitation?

When you have an application like a chat room, you have the user input what they'd like to send, then display it for everyone else to see. Now, usually this is text, but if left unsanitized, they could just as easily send over some HTML code too. This doesn't sound too bad until you realize you can also send over JavaScript code as well. That's not good.

So, to prevent this, the programmer should sanitize their user input. Sanitation is the process of turning some HTML code into something that doesn't get parsed as HTML. There are many ways of doing this.

The hacky way

The hacky way involves replacing characters in a user's message. There are characters that look like the greater-than and less-than signs (> and < respectively) that won't get turned into HTML tags. Feel free to copy and paste these into your project.


The efficient way

JS has three similar values for tags: innerHTML, innerText, and textContent (thank you @AdCharity for telling me about this). If you can, use either innerText or textContent because your browser will force this value to not be turned into HTML.

The reason why you wouldn't want to use this is if you weren't using innerHTML in the first place. I don't see any other way than to use these two, but you never know ¯\_(ツ)_/¯


For the last time, SANITIZE

Edit: Relevant xkcd

You are viewing a single comment. View All

I'd say the best form of sanitation is to use .textContent . Basically the html tags show but don't do crap.


@AdCharity sir, you are under arrest for using the word: "crap"


@AdCharity textContent and innerText function the same with some minor differences, which can be seen here.


@ipastrano :/ what a sad way to go about life.


@AdCharity yeah...


@ipastrano see I have 769 cycles


@AdCharity ayyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy


@SixBeeps you're going to surpass me soon cause I haven't been creating much content lately (or checking out the feed)


@AdCharity Honestly I've just been farming the Ask board a bunch


@AdCharity You and your cycles! Now I have to change the post!!!!(Kidding, not angry, it's cool that you have a lot of cycles


@AdCharity Guess who just reached 769?


@SixBeeps nah you've already surpassed me


@AdCharity whoops :x