You simply never use string concatenation to produce HTML, CSS, JS, SQL, etc. In... | Hacker News

Hacker News new | past | comments | ask | show | jobs | submit

login

continuational on Oct 7, 2020 | parent | context | favorite | on: DOMPurify bypass: XSS via HTML namespace confusion

You simply never use string concatenation to produce HTML, CSS, JS, SQL, etc.

Instead, use e.g. an HTML library that automatically escapes strings. Then you don't even have to think about it.

Join us for AI Startup School this June 16-17 in San Francisco!
Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact