:PROPERTIES: :ID: 6df725cd-289d-4c22-b359-c9e4d4167468 :END: #+title: 2021-10-22 * Huddle to discuss XSS validation in the new-list client - Concerns [[id:05698e38-65b2-496c-b02b-1db376ae734c][Validation vs Sanitization]] - Sanitize on input in the frontend? (Ignore / remove invalid characters as data is being typed) - Warn when invalid characters are present? - This is preferable - It should be expected that the backend will return an error if/when invalid content is submitted ** How does this apply to tag entry? - Tagging doesn't currently have an error state for invalid input that we can leverage ** Action items - Chris V will bring tag input validation to the product meeting on Tuesday ([[file:~/Nextcloud/org/aweber.org::*Follow up with Chris V on tagging input validation][TODO]]) - I will start a thread in the backend channel re: backend validation of unwanted characters (vs sanitizing with [[https://github.com/mozilla/bleach][Bleach]]). ** Thread posting Posting here for feedback / discussion: While dealing with XSS vulnerabilities, besides updating HTML rendering to properly escape data, we are taking the additional measure of disallowing unwanted characters (specifically, =<= and =>=) in our back-end input validation. I looked at the Bleach library, but that only makes sense to me in cases where we want to accept, sanitize, and store HTML content.