Ask HN: Should we validate free text input from user?What validations are a must? - bangda
======
braunshizzle
Any input from a user should be validated and sanitized. Plain and simple.

~~~
bangda
But for input like comments and posts, what patterns need to be checked for
and blacklisted.

~~~
leipert
The grandparent already said it: yes, you need to check and sanitize stuff.

It depends on what you are doing. You have to be more specific about your use
case. There are lot of sources out there regarding these topics, but maybe I
can give you some hints.

Do you think of HTML forms which are send via POST? If yes, what type of
backend are you using? If you are using, say a simple MySQL behind a PHP
application, have a look into prepared statements, which help you store data
in a more secure way by preventing SQL injections.

If you want to display comments, the easiest way is to handle them as plain
text and escape/strip all html when reading from the backend, to prevent
injection of javascript into the site.

If you want to allow styling of the comments, make sure, you just use allow
specific whitelisted html tags like <b> or <i> or <strong>.

As you can see depending on your use cases there are different requirements. I
would recommend starting with the easiest solution (only allow plain text) and
start working from there. Also have a look what your frameworks provide, if
you use any.

