Can someone tell me what this is for?
This is for when you bind a text to a data provided by the user (for example a comment you have register in the database).
This will escape special caracters, so that you are not vulnerable to XSS attack
This is not active by default because sometime you want these caracters to be interpreted (for example making some part of the text bold is done with some markups)
3 Likes
Thank you!!
Is sanitize done in the front-end only, or in some middleware/server-side and inaccessible by the end user? In other words, is this sanitize trustworthy and we don’t have to re-sanitize on the back end, or is this pure front end sanitization and we still have to sanitize on the back end for 100% security?
Thanks!
Always sanitize on the backend, I can hit your API via a CURL/Fetch from your WeWeb app and any front-end sanitation won’t do anything about it.
Gotcha, so just to confirm: everything in WeWeb, regardless of plugin or the sanitization, is 100% front-end only and not through any secure middleware, proxy, etc?
Also out of curiosity, what’s your strategy for sanitizing on the back end? We are still figuring out the best way. We are using Supabase for the back end.