Escape vs Sanitize HTML Form Input
1,079 views
Skip to first unread message
Rob Thornton
Jul 18, 2014, 6:19:14 PM7/18/14
to golan...@googlegroups.com
I'm fairly ignorant of Internet Security and, seeing as I'm going to be writing my first web app, I wanted a bit of a clarification on one point.
If input has been escaped is it strictly necessary to sanitize it (removing html tags for example)? It strikes me that the html will not be rendered/executed by the browser if the string has already been escaped but merely be displayed.
The app will not take much in the way of input except for a User name or ID, password, email address and mailing address. If displaying this information on a settings page, is there anything more that needs be done to the string itself?
This also applies to search. I want to ensure no code gets injected to a DB search. Will html.EscapeSting() be adequate since it will escape the single or double quote?
Thanks,
Rob
David Symonds
Jul 18, 2014, 8:25:24 PM7/18/14
to Rob Thornton, golang-nuts
Don't trust input, and always escape it when you're writing it out.
html.EscapeString is not even remotely suitable for use with SQL
queries; use an SQL library that supports bind parameters.
https://xss-game.appspot.com/ might be a fun way for you to start
learning the basics.
html.EscapeString is not even remotely suitable for use with SQL
queries; use an SQL library that supports bind parameters.
https://xss-game.appspot.com/ might be a fun way for you to start
learning the basics.
egon
Jul 19, 2014, 3:45:40 AM7/19/14
to golan...@googlegroups.com
On Saturday, 19 July 2014 01:19:14 UTC+3, Rob Thornton wrote:
I'm fairly ignorant of Internet Security and, seeing as I'm going to be writing my first web app, I wanted a bit of a clarification on one point.If input has been escaped
How do you know it has been escaped?
is it strictly necessary to sanitize it (removing html tags for example)? It strikes me that the html will not be rendered/executed by the browser if the string has already been escaped but merely be displayed.The app will not take much in the way of input except for a User name or ID, password, email address and mailing address. If displaying this information on a settings page, is there anything more that needs be done to the string itself?
Use html/template package for rendering, it does escaping automatically. Of course be careful if you are doing browser side template rendering, I'm not sure what are the safe libraries for it.
Try to write code such that input/output code doesn't need manual sanitization, let the packages do it for you. It's very easy to forget to call such functions and it should be handled automatically as much as possible.
This also applies to search. I want to ensure no code gets injected to a DB search. Will html.EscapeSting() be adequate since it will escape the single or double quote?
Don't add together SQL strings to construct the query/exec parameter. e.g.
// this is safe
db.QueryRow("SELECT age FROM users WHERE name = ?", name)
// this is not
db.QueryRow("SELECT age FROM users WHERE name = '" + name + "'")
Thanks,Rob
Rob Thornton
Jul 19, 2014, 2:50:20 PM7/19/14
to egon, golang-nuts
Thanks Egon, this is exactly what I wanted to know.
--
You received this message because you are subscribed to a topic in the Google Groups "golang-nuts" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/golang-nuts/F8Zuq87lHLw/unsubscribe.
To unsubscribe from this group and all its topics, send an email to golang-nuts...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Reply all
Reply to author
Forward
0 new messages