Skip to content

Input sanitization

Jump to bottom
Douglas Naphas edited this page Feb 20, 2019 · 2 revisions

Input sanitization

We sanitize inputs using field-specific whitelisting. Only whitelisted characters are allowed in front-end input boxes. The back end rejects posts whose fields contain characters off the whitelist.

Field-specific whitelists

The following fields have the indicated whitelists applied:

  1. Room Code: [A-Z]
  2. Game Name: [-A-Za-z ,0-9]
  3. Lib: [-A-Za-z ,0-9."']

Front-end and back-end

Run the same sanitization function on the front and back end.

Idempotency

Sanitization must be idempotent.

References

  1. OWASP XSS prevention cheat sheet

Ehancement

Issue 116 is open to enhance XSS sanitization.

Clone this wiki locally