Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
Which of the two is a better way to prevent an xss attack?
I find the first one better because you may forget to add this while displaying.
2 — you should convert to the target format at the last possible moment. This saves you from problems down the road should you, for example, decide you want to use the same content in an email, a PDF, as text back to the user for editing, etc, etc.
You might forget when inserting into the database too.
Also, not all data goes into the database. e.g. A preview of data about to be inserted or data put back into a form because of errors are both possible XSS vectors. You don’t want to be dealing with things like “Encode before putting into the database, or when echoing back into the document if it didn’t come from a database”. Exceptions are the best way to get yourself into a situation where you forget to encode.