-1

When I save all the Data in my Database, where I checked it with filter_var( $value, FILTER_SANITIZE_STRING ).

To display this data later, I make a GET request in my Frontend JS and insert it via JS in the DOM.

Do I still need htmlspecialchars() or something more to prevent malicious code??

Deepak Patankar
  • 3,076
  • 3
  • 16
  • 35
Zachi
  • 1
  • You may find this post informative. Let me know if it answers your question. [Using htmlspecialchars function with PDO prepare and execute](https://stackoverflow.com/questions/38411112/using-htmlspecialchars-function-with-pdo-prepare-and-execute) – Phil Jul 20 '20 at 23:35
  • Thanks. I never echo my statements, i get them via ajax as a JSON. So i guess I have to be carefull when I use .innerHTML = value. – Zachi Jul 21 '20 at 11:50

1 Answers1

0

Is not common to use front-end checks but you SHOULD if you care about your users.

https://github.com/cure53/DOMPurify

I don't recommend to use inline javascript at all (if possible) There are a lot of restrictions you can make sending some http headers like CSP, feature, referrer, etc.

The browser understand those and protect your users.

You can use mozilla observatory to get more precise advice on http headers. https://observatory.mozilla.org

String Manolo
  • 72
  • 7