Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

“Checking for escaped text” is the sort of nonsense that tells you you’re dealing with amateur developers.


Indeed. The rules are simple:

- Unescape, sanitize or validate at all entry points.

- Escape all outputs (this includes the database queries).

If you follow those simple rules, you never have to check once you are past a controller. And you should fuzz your controllers to make sure no unexpected data makes it past there.


Thing about taking a job is they don’t generally let you look at the code first and nope out if it’s fucked six ways to Sunday.

Everyone has clever answers for greenfield projects and empty rhetoric for brown.




Consider applying for YC's Fall 2026 batch! Applications are open till July 27.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: