I was concerned because the blog post said that the sanitized the input before sending it, and looking at the network requests agreed!
However while you can submit HTML directly it is displayed as text on the client anyways. So I am wondering why they even bother to "sanitize" it. It just munges the comments for no reason.
It would make more sense to escape all submitted html instead of trying to sanitise it, also add a sensible character limit. At the moment this guestbook seems to be unusable.
I'd also like to note that doing purification on the client on submit [0] isn't wise - anyone can just skip purification and post something malicious directly to the netlify function. If you absolutely have to sanitisation on the client - at least do it on render instead.
9 comments
[ 2.8 ms ] story [ 32.7 ms ] threadhttps://sunnygolovine.com/post/make-a-guestbook
However while you can submit HTML directly it is displayed as text on the client anyways. So I am wondering why they even bother to "sanitize" it. It just munges the comments for no reason.
Btw, the social links at the top of your website don’t work ;)
Repo is here...
https://github.com/sgolovine/sunnygolovine.com
Deploying of lambda functions from the repo through netlify is pretty neat have a look in the functions folder.
I'd also like to note that doing purification on the client on submit [0] isn't wise - anyone can just skip purification and post something malicious directly to the netlify function. If you absolutely have to sanitisation on the client - at least do it on render instead.
[0] https://github.com/sgolovine/sunnygolovine.com/blob/master/s...
Currently working on fixing the issues.