Home/ Questions/Q 8164413
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-06T19:18:40+00:00

From everything I’ve seen, it seems like the convention for escaping html on user-entered

  • 0

From everything I’ve seen, it seems like the convention for escaping html on user-entered content (for the purposes of preventing XSS) is to do it when rendering content. Most templating languages seem to do it by default, and I’ve come across things like this stackoverflow answer arguing that this logic is the job of the presentation layer.

So my question is, why is this the case? To me it seems cleaner to escape on input (i.e. form or model validation) so you can work under the assumption that anything in the database is safe to display on a page, for the following reasons:

  1. Variety of output formats – for a modern web app, you may be using a combination of server-side html rendering, a JavaScript web app using AJAX/JSON, and mobile app that receives JSON (and which may or may not have some webviews, which may be JavaScript apps or server-rendered html). So you have to deal with html escaping all over the place. But input will always get instantiated as a model (and validated) before being saved to db, and your models can all inherit from the same base class.

  2. You already have to be careful about input to prevent code-injection attacks (granted this is usually abstracted to the ORM or db cursor, but still), so why not also worry about html escaping here so you don’t have to worry about anything security-related on output?

I would love to hear the arguments as to why html escaping on page render is preferred

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    The original misconception

    Do not confuse sanitation of output with validation.

    While <script>alert(1);</script> is a perfectly valid username, it definitely must be escaped before showing on the website.

    And yes, there is such a thing as “presentation logic”, which is not related to “domain business logic”. And said presentation logic is what presentation layer deals with. And the View instances in particular. In a well written MVC, Views are full-blown objects (contrary to what RoR would try to to tell you), which, when applied in web context, juggle multiple templates.

    About your reasons

    Different output formats should be handled by different views. The rules and restrictions, which govern HTML, XML, JSON and other formats, are different in each case.

    You always need to store the original input (sanitized to avoid injections, if you are not using prepared statements), because someone might need to edit it at some point.

    And storing original and the xss-safe “public” version is waste. If you want to store sanitized output, because it takes too much resources to sanitize it each time, then you are already pissing at the wrong tree. This is a case, when you use cache, instead of polluting the database.

    • 0