Hacker News new | past | comments | ask | show | jobs | submit login

BTW: there is no such thing as generic sanitized string. There may be SQL-escaped string, HTML-escaped, JS-escaped, JS-in-HTML-in-SQL-escaped, etc. It always depends on context (I'm going to invent format that uses ASCII 'a' in escape sequence — sanitize that! ;)



Base64 encode a string and it's generically sanitized. They're a bit difficult to read with the naked eye though.


Unless it's in a URL. (This is why URL-safe Base64 versions exist... Which can then in turn be inappropriate for other places.)


And base64 can use the / character, so it's unsafe for POSIX filenames.


Until the next element in the pipeline chain decodes it and you can then have injection.


Sure. I was just using one example of sanitization: defense against Bobby Tables.




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: