What is Input Sanitization?

Input Sanitization is the process of cleaning, validating, and escaping user input to prevent injection attacks (XSS, SQL injection, command injection). Never trust user input—always validate, sanitize, and escape before storing in a database, rendering in HTML, or executing commands. Different contexts require different sanitization (HTML escaping for display, parameterized queries for SQL).

When Should You Use This?

Sanitize ALL user input in every app, always. Any form field, URL parameter, API request, file upload—if it comes from a user, sanitize it. Use libraries for escaping (DOMPurify for HTML, parameterized queries for SQL, input validation libraries like Zod, Joi). Never concatenate user input into SQL queries, HTML, or shell commands—use safe APIs and templating engines.

Common Mistakes to Avoid

• •Trusting frontend validation—attackers bypass JavaScript; always validate on the backend
• •Sanitizing too late—sanitize at the entry point (API endpoint), not before rendering
• •Using blacklists instead of whitelists—blacklists miss edge cases; whitelist allowed characters/patterns
• •Not context-aware sanitization—HTML escaping doesn't protect SQL, SQL parameterization doesn't protect XSS
• •Over-sanitizing—don't strip all HTML if users need rich text; use safe parsers (DOMPurify, Markdown)

Real-World Examples

• •Notion—sanitizes rich text input to allow formatting while blocking <script> tags
• •WordPress—strips malicious HTML from comments but allows safe tags like <b>, <i>
• •Stripe—validates credit card numbers, expiration dates, CVV to prevent bad data
• •GitHub—sanitizes Markdown rendering to prevent XSS in READMEs and comments