Comment by hyperhello
2 days ago
To be fair, everything on the client is raw string interpolation. It's only secure if you comprehensively vet everything once it's on the server.
2 days ago
To be fair, everything on the client is raw string interpolation. It's only secure if you comprehensively vet everything once it's on the server.
That's absolutely not true. Sanitization on the client is significantly safer, because the client knows how it parses HTML, while the server can, at best, guess (and hope it follows the spec).
When you set element.textContent = someUserGeneratedContent, the browser guarantees that the user-generated content will never be parsed as HTML.
response.write("<div>" + sanitize(someUserGeneratedContent) + "</div>") has no such guarantee.
If that’s all you want, it’s trivial to replace all < and & with their encodings.