New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Teach data sanitization in JS projects #54547
Comments
So for the authors page project, we probably need to add a step where step 16 is currently at that deals with sanitizing the data. I think we should consider adding some innocent but demonstrative bad data into our API. Stuff like special characters before it can actually be displayed on the page. At minimum, adding some less than and greater than symbols that need encoded could help. As for forum leaderboard project, roughly around step 11 is where we should do the same thing. |
Because we are not exactly set up for modules, we might want to go the route of:
|
No, I suggest splitting the stuff we control and the text into different parts. I see why that might not work very easily; Previously, I had just looked at the forum leaderboard: const showLatestPosts = (data) => {
const { topic_list, users } = data;
const { topics } = topic_list;
postsContainer.innerHTML = topics.map((item) => {
const {
id,
title,
views,
posts_count,
slug,
posters,
category_id,
bumped_at,
} = item;
return `
<tr>
<td>
<p class="post-title">${title}</p>
${forumCategory(category_id)}
</td>
<td>
<div class="avatar-container">
${avatars(posters, users)}
</div>
</td>
<td>${posts_count - 1}</td>
<td>${viewCount(views)}</td>
<td>${timeAgo(bumped_at)}</td>
</tr>`;
}).join("");
}; |
That might work. We technically control all of the content for the authors page project since it is just a hardcoded json file |
It could be enough to just use |
Describe the Issue
In the authors page project and the forum leaderboard project, we are having users fetch data from an external resource and inserting it into the DOM via innerHTML. This isn't a good practice as the data could theoretically be malicious. It's not because we control the data, but we should change these two projects to have users sanitize the data.
Affected Page
https://www.freecodecamp.org/learn/javascript-algorithms-and-data-structures-v8/
The text was updated successfully, but these errors were encountered: