You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I am aware that this library sanitizes input for the most part, but I can't find an easy way to centralize sanitizing the output to prevent "stored XSS".
"Stored Cross-Site Scripting" is what happens when someone manages to bypass sanitization (or writes directly to the database, or takes advantage of rawqueries) and stores in data (for example, a comment) javascripts that will later be interpreted by the browser.
I was looking for a parameter when selecting data that applies an XSS function (htmlspecialchars would do, but I can imagine passing a parser function to some fields may be useful for other things) but I can't find it.
Is there some function or parameter that allows me to specify a parsing function for content (or all query results, if there's no chance of ever handling html or javascript on the content)?
The text was updated successfully, but these errors were encountered:
Hi,
I am aware that this library sanitizes input for the most part, but I can't find an easy way to centralize sanitizing the output to prevent "stored XSS".
"Stored Cross-Site Scripting" is what happens when someone manages to bypass sanitization (or writes directly to the database, or takes advantage of rawqueries) and stores in data (for example, a comment) javascripts that will later be interpreted by the browser.
I was looking for a parameter when selecting data that applies an XSS function (htmlspecialchars would do, but I can imagine passing a parser function to some fields may be useful for other things) but I can't find it.
Is there some function or parameter that allows me to specify a parsing function for content (or all query results, if there's no chance of ever handling html or javascript on the content)?
The text was updated successfully, but these errors were encountered: