By "sanitise" what's really meant is usually "escape". User typed their display ... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		immibis 3 months ago \| parent \| context \| favorite \| on: Element: setHTML() method By "sanitise" what's really meant is usually "escape". User typed their display name as <script>. You want the screen to say their display name, which is <script>. Therefore you send <script>. That's not their display name - that's just what you write in HTML to get their display name to appear on the screen. You shouldn't store it in the database in the display_name column.

strbean 3 months ago [–]

Agreed. The codebase I'm thinking of was html encoding stuff before storing it, then when they needed to e.g. send an SMS, trying to remember to decode. Terrible.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact