← Back to Topics

User Input Sanitization

The cluster focuses on the importance of sanitizing and validating user inputs in software development to prevent security vulnerabilities, with debates on whether to sanitize inputs or escape outputs and the rule of never trusting user data.

➡️ Stable 0.7x Security
3,830
Comments
20
Years Active
5
Top Authors
#4697
Topic ID

Activity Over Time

2007
5
2008
35
2009
73
2010
122
2011
167
2012
197
2013
205
2014
219
2015
130
2016
245
2017
215
2018
129
2019
175
2020
305
2021
378
2022
291
2023
247
2024
305
2025
373
2026
14

Top Contributors

tptacek (24) zAy0LfpBZLC8mAC (20) masklinn (19) pornel (19) jerf (18)

Keywords

e.g dkriesel.com GP SQL RFC2821 inputs.html hackensplat.com HTTP RFC821 UnsafeString input user input escaped inputs data strings string user validation untrusted

Sample Comments

siegecraft Mar 25, 2016 View on HN

They didn't sanitize their input data.. that's the worst sin you can commit.

zAy0LfpBZLC8mAC Feb 27, 2020 View on HN

"Unsafe input" is not a thing.

dylan604 Aug 16, 2023 View on HN

because every developer has been told to never trust user input, and to sanitize the hell out of it.

rat87 Mar 22, 2025 View on HN

Only if you are getting input from untrusted users

mcs Sep 15, 2010 View on HN

Apparently somebody doesn't know how to sanitize input.

olalonde Oct 5, 2010 View on HN

They really mean it when they say "never trust user input".

noodle Mar 18, 2008 View on HN

#1 rule of web app development (as far as i'm concerned): sanitize inputs. if you don't know if inputs are already/automatically sanitized, sanitize them again anyway.

Y_Y Dec 17, 2023 View on HN

Just think a virus, you know they're not going to be correctly sanitizing their inputs.

the_duke Jan 13, 2019 View on HN

That's quite a lot of words for saying: "don't trust user input".

OscarCunningham Jan 21, 2024 View on HN

I've heard people being told 'sanitize your inputs!' too many times. The advice should be 'escape your outputs!'.