Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Failure to properly escape HTML and SQL used to be the most common security issues people found (and perhaps bugs).


How is this problem solved using most of the libraries people have mentioned in this discussion that don't use strings?


You'll generally have two functions:

  addFragment : (String, IntermediateHtmlAST) -> IntermediateHtmlAST

  renderHtml : IntermediateHtmlAST -> String
There is a sanitation pass that occurs either in the final conversion of the intermediate data structure to an HTML string (renderHtml), or immediately on the function call (addFragment).

This is similar to how database query libraries let you build up a SQL query via an intermediate data structure and then convert that to a prepared SQL statement (most common) or do data sanitization on the input fragment (less ideal).


Why don't you just look up one of those libraries? Most of them have some sort of description of how they work.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: