:PROPERTIES:
:ID:       6df725cd-289d-4c22-b359-c9e4d4167468
:END:
#+title: 2021-10-22

* Huddle to discuss XSS validation in the new-list client
- Concerns [[id:05698e38-65b2-496c-b02b-1db376ae734c][Validation vs Sanitization]]
- Sanitize on input in the frontend? (Ignore / remove invalid characters as
  data is being typed)
- Warn when invalid characters are present?
  - This is preferable
- It should be expected that the backend will return an error if/when invalid
  content is submitted

** How does this apply to tag entry?
- Tagging doesn't currently have an error state for invalid input that we can
  leverage

** Action items
- Chris V will bring tag input validation to the product meeting on Tuesday
- I will start a thread in the backend channel re: backend validation of
  unwanted characters (vs sanitizing with [[https://github.com/mozilla/bleach][Bleach]]).

** Thread posting
Posting here for feedback / discussion:

While dealing with XSS vulnerabilities, besides updating HTML rendering to
properly escape data, we are taking the additional measure of disallowing
unwanted characters (specifically, =<= and =>=) in our back-end input
validation. I looked at the Bleach library, but that only makes sense to me in
cases where we want to accept, sanitize, and store HTML content.