undefined | Better HN

0 pointsviraptor1y ago0 comments

So what you're proposing is encode to html on input, to sql on output, passthrough to html, and encode to Json on output but after decoding from the saved html - and just document it well?

0 comments

bruce3434341y ago

I'm not sure, I've never run into this issue. I'd probably just look for another job if you want the honest answer.

For what it's worth: if a column in your database is used in so many contexts, you could document that it's simply unsanitized. Like, I prefer having as few entries for bugs and fuckups, and knowing that the database data is always sanitized helps with that. But it's not an unbreakable, absolute sort of rule.

And I never really escape strings for SQL, as I always use prepared statements - forgetting prepared statements is an easy thing for code review to catch.

I also have a project where there is HTML stored, which is not escaped because the purpose is to directly output that HTML somewhere, and it really is supposed to be HTML.

It simply depends. But as long as it's documented, and hopefully as clear and consistent as possible.

j / k navigate · click thread line to collapse

0 comments

bruce3434341y ago

I'm not sure, I've never run into this issue. I'd probably just look for another job if you want the honest answer.

And I never really escape strings for SQL, as I always use prepared statements - forgetting prepared statements is an easy thing for code review to catch.

I also have a project where there is HTML stored, which is not escaped because the purpose is to directly output that HTML somewhere, and it really is supposed to be HTML.

It simply depends. But as long as it's documented, and hopefully as clear and consistent as possible.

j / k navigate · click thread line to collapse