Sanitization
ELI5 — The Vibe Check
Sanitization is cleaning up user input before using it — stripping out anything dangerous like script tags or SQL commands. Like a kitchen that washes vegetables before cooking. If you display or execute raw user input without sanitizing, you're basically cooking with mud and hoping for the best.
Real Talk
Input sanitization transforms user-supplied data to remove or neutralize malicious content before processing or storage. It's a defense against XSS, SQL injection, and command injection. Libraries like DOMPurify (client-side) and validator.js (server-side) handle common sanitization tasks.
Show Me The Code
import DOMPurify from 'dompurify';
import { escape } from 'validator';
// Sanitize HTML content before rendering
const safeHtml = DOMPurify.sanitize(userHtml);
div.innerHTML = safeHtml;
// Escape for plain text contexts
const safeText = escape(userInput); // converts <, >, &, ' to HTML entities
When You'll Hear This
"Sanitize all user input before storing it in the database." / "The comment was sanitized to remove XSS payloads."
Related Terms
Encoding
Encoding is converting data into a different format for safe transport or storage — not for security, but to prevent misinterpretation.
Escape
Escaping means converting special characters into their safe equivalents before putting them in HTML, SQL, or a shell command.
Input Validation
Input validation is checking that user input is what you expect before using it.
OWASP Top 10
The OWASP Top 10 is the security industry's greatest hits of web vulnerabilities — the 10 most common, dangerous ways apps get hacked.
SQL Injection
SQL injection is when a hacker types SQL code into a text field instead of normal text, and your stupid database runs it.
XSS (XSS)
XSS stands for Cross-Site Scripting. Hackers inject their own JavaScript into your site so when other users visit, the evil script runs in their browser.