i've got <textarea> value sent off server , stored in database. value later rendered on different pages in html.
what need sanitize this? remove html tags? (it's sql-injection safe because i'm using stored procedure , parameters.)
does have sanitize routine?
do not sanitize input. instead encode when output it. easy enforce .net 4 features (<%: "" %>) or code-reviewing.
data should stored in native format. human-readable text has native format text, not encoded version of it. cannot manipulate encoded text (say doing highlighting of words or replaces).
not encoding text in database saves little storage space.
sanitizing input hard anyway. hard more encoding everything. blacklisting html tags way forget don't it.
Comments
Post a Comment