Questions tagged [escaping]
11 questions
4
votes
2 answers
Should REST API return escaped user generated content
We have a REST API that returns user generated content from a database. Before inserting the data into the database the data is sanitized.
But when returning the data we do not escape / decode the data, so in theory it would be possible to insert…
sveri
- 585
- 4
- 9
4
votes
1 answer
Which is a more efficient approach to decoding escape sequences in text?
I'm working on parsers that not only process delimited content, but also escape sequences within certain portions of that content. I'm contemplating the efficiency of several approaches to tokenization and would appreciate thoughts on the…
rgchris
- 365
- 1
- 9
2
votes
1 answer
Does it make sense to sanitize email form input?
So, I'm expending this email submission form script for a client and saw something rather strange to my experience. As you can see below, the original programmer has sanitised the user input. Is this a good practice or does this makes sense at…
Banago
- 276
- 1
- 6
2
votes
3 answers
Escaping strings in database layer
Can escaping functions (e.g. mysql_real_esacpe_string ) be moved down to the database layer where we would loop through all parameters passed for all queries and escape all strings. Would that be a good design?
Imran Omar Bukhsh
- 1,959
- 16
- 25
2
votes
0 answers
Tainted String Type in Kotlin
Two of the top 3 security vulnerabilities in the OWASP Top 10 come from trusting user input (Injection and XSS). To deal with this, Ruby lets you "taint" Strings received from the user as unsafe.
In a type-safe language like Kotlin you can…
GlenPeterson
- 14,890
- 6
- 47
- 75
2
votes
1 answer
Optimized Special Character Escaper vs Matcher/Pattern
I need to escape special characters which are sent to Apache Lucene.
Since the code will run on a production server, I want the code to be the fastest possible.
I've seen multiple ways to do it:
Using Pattern
Using Replace
Using Library
See:…
Menelaos
- 267
- 3
- 14
1
vote
1 answer
pcre case insensitivity: handle escape sequences as raw bytes?
Consider the following regex (no unicode):
Example:\x04\x05\x41
Suppose you search this regex case-insensitively. Would you expect it to search the final \x41 in case-sensitive manner? People whom I ask actually expect such behavior. And such…
Muxecoid
- 111
- 5
0
votes
3 answers
Using the symbol ⎋ to denote any "escape" in Javascript, CSS, HTML etc
I know that:
Computer keyboards have an Escape Key
The symbol for the Escape Key is U+238B Broken Circle with Northwest Arrow (⎋)
and I also know that:
HTML5 & CSS3 both have escape characters
Javascript has the backslash escape character (\)…
Rounin
- 275
- 1
- 10
0
votes
4 answers
How to escape regexes and paths in double quote strings without going crazy?
It often happens that after designing my regexp (on regex101.com) I want to paste it in my program. Consider this regexp that matches numbers and string (but keep in mind this is general question!):
^(\"(?:[^\"]|\\\")*\"|\-?[0-9]+(?:\.[0-9]+)?)$
I…
Tomáš Zato
- 853
- 1
- 10
- 20
0
votes
2 answers
How does Facebook strip html/apostrophes for XSS but also display it?
I'm not quite sure if this is a question for programmers.se rather than stackoverflow, but here goes. So Facebook [or any other large company] when given something like an apostrophe or html, can strip it of its malicious intent, but still display…
Someone
- 191
- 5
-1
votes
2 answers
Is there any danger in rendering user-entered HTML and can it be mitigated?
I'm guessing the answer is no because there's quite a few examples, including right here. If I let users submit their own HTML text and then render it side by side, what could the user do that would break the rest of the page and how can I guard…
leylandski
- 407
- 1
- 3
- 14