Input Sanitization

Problem

Applications are vulnerable to XSS attacks where malicious scripts execute in users’ browsers. User-provided content with HTML or JavaScript tags can break layouts, steal session tokens, or redirect users to phishing sites. Display names, comments, or profile fields become security holes.

Solution

Strip or escape potentially dangerous characters from user input before processing or storage. This prevents injection attacks and ensures data conforms to expected formats.

Example

This example demonstrates sanitizing user input by converting it to text content, which escapes HTML tags to prevent XSS attacks.

function sanitizeHTML(input) {
  // Create a temporary div element
  const div = document.createElement('div');
  // Set as text content - this automatically escapes HTML/script tags
  div.textContent = input;
  // Return the escaped HTML - tags become < > entities
  return div.innerHTML;
}

// Safe to render - script tags are escaped, not executed
const safeContent = sanitizeHTML(userInput);

Benefits

• Prevents XSS attacks by neutralizing malicious scripts in user input.
• Protects against injection attacks that could compromise application security.
• Ensures data conforms to expected formats, preventing display bugs.
• Provides defense-in-depth security layer alongside output encoding.

Tradeoffs

• May strip legitimate content if rules are too aggressive or poorly configured.
• Requires ongoing maintenance as new attack vectors are discovered.
• Can create confusion when users see their input modified after submission.
• Should be combined with output encoding, not used as the only security measure.