We're having conflict with coworkers on whether we should htmlencode
user input and then save it to db
( vs saving it straight forward as it is)
I also found various answers which says that DB
should save the plain(!) input.
Why ? because DB should know that the user length is 1 in <
and not 4 in <
The html encoding should only be made when outputting.
but:
Having said that , I see that Stackoverflow is not following this rule.
When I save a question here at SO , which contains plain <
it does show (obviously) the <
in the preview pane. BUT when I submit the question : it submit the content as json with html encode !
Json.stringify is not doing html encode
So If I type in the input :
And submits :
I see (via fiddler) that it sends actually the html encode value :
Question :
As you see - i'm a bit confused. the common logic says that db should save whatever the user type 1:1.
The sanitization should be made at the output
You must encode input sent to the server, because otherwise the anti Cross Site Scripting protection on the server will block the entire request. However, you decode this input before saving to the DB.
In other, what you see in the POST isn't necessarily what is saved to the database.