Whether xss sensitive characters are escaped before they are inserted into the database or when they are read from the database.

it is not clear which process XSS is escaped in. If you escape before inserting into the database, it is possible that the escaped character length exceeds the length defined by the database field, making it impossible to store or truncated. However, if you escape after reading from the database, there seems to be a performance problem, such as a large number of visits, each read and escape, more or less performance loss. Therefore, it has not been known in which process it is more appropriate to escape. I think there is something wrong with the escape before and after the storage.

Mar.19,2022

escaping is completely feasible after reading. There is no performance problem
for example, thymeleaf templates of springboot all escape the output string automatically

if the front-end separation is similar to vue , it is also automatically escaped, and it is done on the client side without performance problems

.

feel free to use it.


escape before storage. If the excessive length after the escape means that the design of the database field is unreasonable, change the length directly or use the text type. If it is read and escaped, it means that every read has to be transferred, not to mention the performance consumption, if someone forgets to transfer, it will be finished, there is no need for this.

Menu