roam/20211007111835-validation_vs_sanitization.org
2021-10-08 16:06:24 -04:00

1.1 KiB

Validation vs Sanitization

There are distinct factors that go into deciding whether to validate input (rejecting unwanted data) or to sanitize input (accept and alter data).

Commonly, data is validated on input, and sanitized when it is displayed:

  cloud "Input" as input
  component API {
          interface POST
          usecase "Validate input" as validate
          database "Data store" as data
          interface GET
  }
  frame Client {
          usecase "Sanitize and display" as sanitize
          file "Output" as output
  }

  input -> POST
  POST -> validate
  validate -> data
  data -> GET
  GET -> sanitize
  sanitize -> output

/correlr/roam/media/commit/beda72249f6640b9cbc1510a37a06c20648226b1/validation-and-sanitization.svg

This has the following benefits:

  • Input that is accepted correctly matches the types and constraints of its domain.
  • The client is soley responsible for ensuring that data is displayed correctly and securely.