The age old question. How to Sanitize user input?


#1

I know we are going through a bit of a shakeup in the move from 0.3.9 to 0.4.0 but I want to continue working through some issues here. Maybe this will lead to some ideas of how to do this APIStar style.

I am looking at working with Vuejs to build a SPA that will call an APIStar backend. The user will use a Quill.js component to create content, but that library does nothing for sanitizing user input. In the past with Flask I relied on the jinja2 functionality to sanitize user submitted input as it came out of the DB and was sent to the user. The problem gets a little turned around though in this use case. I want to scrub user input before it is saved in the backend. So whatever end point I submit my JSON to will need to sanitize the content so that when it is retrieved it is XSS free.

How do you guys manage sanitizing user input in your applications? Are there any libraries you have found exceptionally helpful in the process? Would it be beneficial to create a Component that can be configured and used to sanitize input?


#2

well I would use the type system for most of the basic validation

if you need more complex validation you could try the framework agnostic marshmallow


#3

My friends and I have been looking around and we actually found a Mozilla project called Bleach. The use case I am concerned with is someone passing in some nefarious javascript <script> doEvil() </script> into the text editor, getting saved in my db, then rendered back out to my users. Looking at how you can configure it I think it will be a great library to bring in as a component and just bleach.clean(<script> doEvil() </script>) that JSON string before committing it to the backend.

I don’t know how I could get the same behavior out of the type system.


#4

My recommendation is to sanitize on the backend, a malicious actor can always get around frontend JS validations. You could always just validate inside the function

import bleach

def create product(product: Product):
    product['description'] = bleach.clean(product.description)
    # save to db

https://pypi.python.org/pypi/bleach