

When do you escape your data? - matan_a
http://n0tw0rthy.wordpress.com/2011/10/07/when-do-you-escape-your-data/

======
Geee
I've just been implementing a comment system, which allows limited subset of
Markdown formatting. I decided to store both original document and the
resulting html, which goes through escaping, markdown and htmlpurifier, which
strips everything unwanted. When the comment is edited, user gets the original
document and the html version is shown on the site. It would be safer to do
the html when outputting, but I decided this way for better performance.

~~~
matan_a
Definitely. Performance requirements do justify what you're suggesting.
Preprocessing when possible is a great principle to follow.

The point is that you're keeping your original data around is the key part.

~~~
Geee
The thing here is that if something goes wrong and malicious code ends up in
the db, I have to go through every comment and clean them vs. just changing
the code which cleans them way out.

------
smoyer
Most applications these days are more read-intensive, so there's a good pay-
off for performing data processing as it's being prepared for storage. And
I've been reminded (the hard way) time and again that the sooner I
clean/correct data, the less likely it is to hurt me later.

