1

I used express-validator escape() to sanitize user inputs and saved escaped data in database using parameterized query. When i render the input from database using EJS view engine i get escaped characters. For example ' becomes ' Do i need to unescape them while rendering? or I shouldn't use sanitize?

RRR
  • 507
  • 4
  • 17

1 Answers1

2

The best practice is to always store the raw data, so if the user sends "<h1>", you store "<h1>" on your database, then you escape the string on the client side (or on server side if you are using server side rendering) before showing it on the HTML to prevent XSS. So dont escape() the string on your express app, just store the raw text.

Owl
  • 6,337
  • 3
  • 16
  • 30