I am currently asking questions on Github about HTML escaping in Javascript (in the context of a specific framework), which is apparently a mistake because I've had multiple people tell me "oh just use dompurify" and NO

I specifically said escaping!! I know about sanitization, I use it when I need to, but here I do not need to render HTML at all, stop recommending an inherently less safe option to people who just want to not render any HTML! :blobfacepalm:

(I'm not particularly looking for recommendations here, `stringify-entities` and `html-escaper` both seem perfectly fine for my uses, but I guess if you have a different favorite knock yourself out)

Follow

That said, these kinds of things are helpful for imposter syndrome things because they remind me that oh yeah, you have learned a thing or two in the last decade of building things, hurrah!

And also yes, everyone needs to learn sometime, but if you're actively recommending sanitization to someone who is asking about escaping, you are making the web a less secure place, please read up and stop doing that. It's not a failure to not know, the internet is terrible and complicated, but if you're a web person please do take the opportunity to learn and grow!

Here are a couple good posts that cover things pretty well:
benhoyt.com/writings/dont-sani
blog.presidentbeef.com/blog/20

· · Web · 0 · 0 · 1
Sign in to participate in the conversation
Cybrespace

cybrespace: the social hub of the information superhighway jack in to the mastodon fediverse today and surf the dataflow through our cybrepunk, slightly glitchy web portal support us on patreon or liberapay!