HTML / Javascript: Should I encode, escape, or sanitize user-generated strings for alt attributes ( tags)?





.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ height:90px;width:728px;box-sizing:border-box;
}







0















There seems to be many accepted answers regarding if one needs to encode user-generated HTML attributes (the alt attribute of an image for instance), 'escape' them, or 'sanitize' them.



I am wondering: If I am rendering user-generated alt attributes for img elements, how should I encode them (if at all), should I both encode and sanitize? Should I both sanitize and escape?



If I know any character has the possibility of showing up how should I process this user-generated string before setting it as an alt attribute?






javascript html security user-generated-content







share|improve this question

























  • "the alt attribute of an image for instance" — For instance? Beware. The answer will vary depending on the attribute.

    – Quentin
    Nov 26 '18 at 18:33













  • Santiziation has little to do with security. How you ecape depends on the (unspecified) mechanism you are using to generate them from the input.

    – Quentin
    Nov 26 '18 at 18:34











  • Regardless of mechanism, all I know is any character is possible to appear in these alt attributes.

    – connected_user
    Nov 26 '18 at 18:36











  • While you might have any character provided as input, how you escape is still dependant on the mechanism you are using to generate the attribute from that input.

    – Quentin
    Nov 26 '18 at 18:37













  • I am using React.js to generate the markup in which this user-generated string is being used as an alt attribute of an img tag.

    – connected_user
    Nov 26 '18 at 18:42


















0















There seems to be many accepted answers regarding if one needs to encode user-generated HTML attributes (the alt attribute of an image for instance), 'escape' them, or 'sanitize' them.



I am wondering: If I am rendering user-generated alt attributes for img elements, how should I encode them (if at all), should I both encode and sanitize? Should I both sanitize and escape?



If I know any character has the possibility of showing up how should I process this user-generated string before setting it as an alt attribute?






javascript html security user-generated-content







share|improve this question

























  • "the alt attribute of an image for instance" — For instance? Beware. The answer will vary depending on the attribute.

    – Quentin
    Nov 26 '18 at 18:33













  • Santiziation has little to do with security. How you ecape depends on the (unspecified) mechanism you are using to generate them from the input.

    – Quentin
    Nov 26 '18 at 18:34











  • Regardless of mechanism, all I know is any character is possible to appear in these alt attributes.

    – connected_user
    Nov 26 '18 at 18:36











  • While you might have any character provided as input, how you escape is still dependant on the mechanism you are using to generate the attribute from that input.

    – Quentin
    Nov 26 '18 at 18:37













  • I am using React.js to generate the markup in which this user-generated string is being used as an alt attribute of an img tag.

    – connected_user
    Nov 26 '18 at 18:42














0












0








0








There seems to be many accepted answers regarding if one needs to encode user-generated HTML attributes (the alt attribute of an image for instance), 'escape' them, or 'sanitize' them.



I am wondering: If I am rendering user-generated alt attributes for img elements, how should I encode them (if at all), should I both encode and sanitize? Should I both sanitize and escape?



If I know any character has the possibility of showing up how should I process this user-generated string before setting it as an alt attribute?






javascript html security user-generated-content







share|improve this question
















There seems to be many accepted answers regarding if one needs to encode user-generated HTML attributes (the alt attribute of an image for instance), 'escape' them, or 'sanitize' them.



I am wondering: If I am rendering user-generated alt attributes for img elements, how should I encode them (if at all), should I both encode and sanitize? Should I both sanitize and escape?



If I know any character has the possibility of showing up how should I process this user-generated string before setting it as an alt attribute?






javascript html security user-generated-content




javascript html security user-generated-content






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Nov 26 '18 at 18:30







connected_user

















asked Nov 26 '18 at 18:24









connected_userconnected_user

1261115




1261115













  • "the alt attribute of an image for instance" — For instance? Beware. The answer will vary depending on the attribute.

    – Quentin
    Nov 26 '18 at 18:33













  • Santiziation has little to do with security. How you ecape depends on the (unspecified) mechanism you are using to generate them from the input.

    – Quentin
    Nov 26 '18 at 18:34











  • Regardless of mechanism, all I know is any character is possible to appear in these alt attributes.

    – connected_user
    Nov 26 '18 at 18:36











  • While you might have any character provided as input, how you escape is still dependant on the mechanism you are using to generate the attribute from that input.

    – Quentin
    Nov 26 '18 at 18:37













  • I am using React.js to generate the markup in which this user-generated string is being used as an alt attribute of an img tag.

    – connected_user
    Nov 26 '18 at 18:42



















  • "the alt attribute of an image for instance" — For instance? Beware. The answer will vary depending on the attribute.

    – Quentin
    Nov 26 '18 at 18:33













  • Santiziation has little to do with security. How you ecape depends on the (unspecified) mechanism you are using to generate them from the input.

    – Quentin
    Nov 26 '18 at 18:34











  • Regardless of mechanism, all I know is any character is possible to appear in these alt attributes.

    – connected_user
    Nov 26 '18 at 18:36











  • While you might have any character provided as input, how you escape is still dependant on the mechanism you are using to generate the attribute from that input.

    – Quentin
    Nov 26 '18 at 18:37













  • I am using React.js to generate the markup in which this user-generated string is being used as an alt attribute of an img tag.

    – connected_user
    Nov 26 '18 at 18:42

















"the alt attribute of an image for instance" — For instance? Beware. The answer will vary depending on the attribute.

– Quentin
Nov 26 '18 at 18:33







"the alt attribute of an image for instance" — For instance? Beware. The answer will vary depending on the attribute.

– Quentin
Nov 26 '18 at 18:33















Santiziation has little to do with security. How you ecape depends on the (unspecified) mechanism you are using to generate them from the input.

– Quentin
Nov 26 '18 at 18:34





Santiziation has little to do with security. How you ecape depends on the (unspecified) mechanism you are using to generate them from the input.

– Quentin
Nov 26 '18 at 18:34













Regardless of mechanism, all I know is any character is possible to appear in these alt attributes.

– connected_user
Nov 26 '18 at 18:36





Regardless of mechanism, all I know is any character is possible to appear in these alt attributes.

– connected_user
Nov 26 '18 at 18:36













While you might have any character provided as input, how you escape is still dependant on the mechanism you are using to generate the attribute from that input.

– Quentin
Nov 26 '18 at 18:37







While you might have any character provided as input, how you escape is still dependant on the mechanism you are using to generate the attribute from that input.

– Quentin
Nov 26 '18 at 18:37















I am using React.js to generate the markup in which this user-generated string is being used as an alt attribute of an img tag.

– connected_user
Nov 26 '18 at 18:42





I am using React.js to generate the markup in which this user-generated string is being used as an alt attribute of an img tag.

– connected_user
Nov 26 '18 at 18:42












2 Answers
2






active

oldest

votes


















0















I am using React.js to generate the markup in which this user-generated string is being used as an alt attribute of an img tag




Assuming you mean that you have something along the lines of:



<img alt={this.props.alt} />


… then no, you don't need to do anything. React works on the DOM. You aren't generating HTML source code, so special characters in the data can't be used to inject JavaScript through an XSS vulnerability.






share|improve this answer
























  • So even if the prop in question this.props.alt contains markup, or a script tag, or special character, I still don't need to encode or process this string in any way?

    – connected_user
    Nov 26 '18 at 19:25











  • @connected_user — That's what I said.

    – Quentin
    Nov 26 '18 at 20:55



















-1














Sanitizing is required so there are no issues with displaying the string. If you are storing the alt attribute in a database then yyou should definitely escape the string.






share|improve this answer
























    Your Answer






    StackExchange.ifUsing("editor", function () {
    StackExchange.using("externalEditor", function () {
    StackExchange.using("snippets", function () {
    StackExchange.snippets.init();
    });
    });
    }, "code-snippets");

    StackExchange.ready(function() {
    var channelOptions = {
    tags: "".split(" "),
    id: "1"
    };
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function() {
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled) {
    StackExchange.using("snippets", function() {
    createEditor();
    });
    }
    else {
    createEditor();
    }
    });

    function createEditor() {
    StackExchange.prepareEditor({
    heartbeatType: 'answer',
    autoActivateHeartbeat: false,
    convertImagesToLinks: true,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: 10,
    bindNavPrevention: true,
    postfix: "",
    imageUploader: {
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    },
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    });


    }
    });














    draft saved

    draft discarded


















    StackExchange.ready(
    function () {
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53486965%2fhtml-javascript-should-i-encode-escape-or-sanitize-user-generated-strings-f%23new-answer', 'question_page');
    }
    );

    Post as a guest















    Required, but never shown

























    2 Answers
    2






    active

    oldest

    votes








    2 Answers
    2






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes









    0















    I am using React.js to generate the markup in which this user-generated string is being used as an alt attribute of an img tag




    Assuming you mean that you have something along the lines of:



    <img alt={this.props.alt} />


    … then no, you don't need to do anything. React works on the DOM. You aren't generating HTML source code, so special characters in the data can't be used to inject JavaScript through an XSS vulnerability.






    share|improve this answer
























    • So even if the prop in question this.props.alt contains markup, or a script tag, or special character, I still don't need to encode or process this string in any way?

      – connected_user
      Nov 26 '18 at 19:25











    • @connected_user — That's what I said.

      – Quentin
      Nov 26 '18 at 20:55
















    0















    I am using React.js to generate the markup in which this user-generated string is being used as an alt attribute of an img tag




    Assuming you mean that you have something along the lines of:



    <img alt={this.props.alt} />


    … then no, you don't need to do anything. React works on the DOM. You aren't generating HTML source code, so special characters in the data can't be used to inject JavaScript through an XSS vulnerability.






    share|improve this answer
























    • So even if the prop in question this.props.alt contains markup, or a script tag, or special character, I still don't need to encode or process this string in any way?

      – connected_user
      Nov 26 '18 at 19:25











    • @connected_user — That's what I said.

      – Quentin
      Nov 26 '18 at 20:55














    0












    0








    0








    I am using React.js to generate the markup in which this user-generated string is being used as an alt attribute of an img tag




    Assuming you mean that you have something along the lines of:



    <img alt={this.props.alt} />


    … then no, you don't need to do anything. React works on the DOM. You aren't generating HTML source code, so special characters in the data can't be used to inject JavaScript through an XSS vulnerability.






    share|improve this answer














    I am using React.js to generate the markup in which this user-generated string is being used as an alt attribute of an img tag




    Assuming you mean that you have something along the lines of:



    <img alt={this.props.alt} />


    … then no, you don't need to do anything. React works on the DOM. You aren't generating HTML source code, so special characters in the data can't be used to inject JavaScript through an XSS vulnerability.







    share|improve this answer












    share|improve this answer



    share|improve this answer










    answered Nov 26 '18 at 18:45









    QuentinQuentin

    658k738951057




    658k738951057













    • So even if the prop in question this.props.alt contains markup, or a script tag, or special character, I still don't need to encode or process this string in any way?

      – connected_user
      Nov 26 '18 at 19:25











    • @connected_user — That's what I said.

      – Quentin
      Nov 26 '18 at 20:55



















    • So even if the prop in question this.props.alt contains markup, or a script tag, or special character, I still don't need to encode or process this string in any way?

      – connected_user
      Nov 26 '18 at 19:25











    • @connected_user — That's what I said.

      – Quentin
      Nov 26 '18 at 20:55

















    So even if the prop in question this.props.alt contains markup, or a script tag, or special character, I still don't need to encode or process this string in any way?

    – connected_user
    Nov 26 '18 at 19:25





    So even if the prop in question this.props.alt contains markup, or a script tag, or special character, I still don't need to encode or process this string in any way?

    – connected_user
    Nov 26 '18 at 19:25













    @connected_user — That's what I said.

    – Quentin
    Nov 26 '18 at 20:55





    @connected_user — That's what I said.

    – Quentin
    Nov 26 '18 at 20:55













    -1














    Sanitizing is required so there are no issues with displaying the string. If you are storing the alt attribute in a database then yyou should definitely escape the string.






    share|improve this answer




























      -1














      Sanitizing is required so there are no issues with displaying the string. If you are storing the alt attribute in a database then yyou should definitely escape the string.






      share|improve this answer


























        -1












        -1








        -1







        Sanitizing is required so there are no issues with displaying the string. If you are storing the alt attribute in a database then yyou should definitely escape the string.






        share|improve this answer













        Sanitizing is required so there are no issues with displaying the string. If you are storing the alt attribute in a database then yyou should definitely escape the string.







        share|improve this answer












        share|improve this answer



        share|improve this answer










        answered Nov 26 '18 at 18:38









        IbzDawgIbzDawg

        697




        697






























            draft saved

            draft discarded




















































            Thanks for contributing an answer to Stack Overflow!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid



            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.


            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53486965%2fhtml-javascript-should-i-encode-escape-or-sanitize-user-generated-strings-f%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown







            -

            Popular posts from this blog

            Tonle Sap (See)

            Image
            Tonle Sap Satellitenfoto (April 1994) Geographische Lage Kambodscha Zuflüsse Tonle-Sap-Fluss, Siem Reap River Abfluss Tonle-Sap-Fluss Orte in der Nähe Siem Reap, Battambang Daten Koordinaten 12° 52′ 34″  N , 104° 4′ 23″  O 12.876 104.073 Koordinaten: 12° 52′ 34″  N , 104° 4′ 23″  O Höhe über Meeresspiegel f1 0,5 Meter Fläche 2.700–25.000 km² dep1 f5 Länge 250 km (maximal) dep1 f6 Breite 100 km (maximal) dep1 f7 Volumen 80 km³ (maximal) dep1 f8 Maximale Tiefe 14 m f10 Mittlere Tiefe 2–3 m (minimal) f11 Besonderheiten größter See Südostasiens Der Tonle-Sap-See (Khmer: បឹង​ទន្លេសាប , Aussprache: [ boeung tunleː saːp ]) in Kambodscha ist der größte See Südostasiens und eines der fischreichsten Binnengewässer der Erde. Inhaltsverzeichnis 1 Geographie 2 Wirtschaftliche Bedeutung 2.1 Verkehr 2.2 Reis 2.3 Fisch 3 Ökologie und Gefährdung 3.1 Überfischung...
            Read more

            I get strange results when I access the Sqlitedatabase with Unity C# via XAMPP

            Image
            0 <?php $servername = "localhost"; $username="root"; $password=""; $dbName="escape_room"; $user_username = $_POST['Input_user']; $user_password = $_POST['Input_pass']; $conn = new mysqli($servername, $username, $password, $dbName); if(!$conn){ die("Cound not Connect: " . mysqli_connect_error()); } $sql = "SELECT pass FROM escape_room WHERE user = '".$user_username."' "; $result = mysqli_query($conn, $sql); //Get the result and confirm login if(mysqli_num_rows($result)>0){ while($row = mysqli_fetch_assoc($result)){ if($row['pass'] == $user_password){ echo "login success"; ...
            Read more

            Guatemaltekische Davis-Cup-Mannschaft

            Image
            Guatemala Kapitän Anthony Vásquez Aktuelles ITF-Ranking 73 Statistik Erste Teilnahme 1990 Davis-Cup-Teilnahmen 22 Bestes Ergebnis Amerika-Gruppenzone II HF (1995, 2000, 2001) Ewige Bilanz 42:30 Erfolgreichste Spieler Meiste Siege gesamt Daniel Chávez Morales (29) Meiste Einzelsiege Cristian Paiz (21) Meiste Doppelsiege Daniel Chávez Morales (17) Bestes Doppel Jacobo Chávez / Daniel Chávez Morales (9) Meiste Teilnahmen Cristian Paiz (32) Meiste Jahre Daniel Chávez Morales (10) Letzte Aktualisierung der Infobox: 3. Juni 2012 Die guatemaltekische Davis-Cup-Mannschaft ist die Tennisnationalmannschaft Guatemalas. Geschichte | 1990 nahm Guatemala erstmals am Davis Cup teil. Das beste Resultat erreichte die Mannschaft jeweils 1995, 2000 und 2001 mit dem Halbfinale in der Amerika-Gruppenzone II. Bester Spieler ist Daniel Chávez Morales mit 29 Siegen bei insgesamt 31 Teilnahmen. Rekord...
            Read more