TechQA.

HTML / Javascript: Should I encode, escape, or sanitize user-generated strings for alt attributes (<img/> tags)?

849 views Asked by At

There seems to be many accepted answers regarding if one needs to encode user-generated HTML attributes (the alt attribute of an image for instance), 'escape' them, or 'sanitize' them.

I am wondering: If I am rendering user-generated alt attributes for img elements, how should I encode them (if at all), should I both encode and sanitize? Should I both sanitize and escape?

If I know any character has the possibility of showing up how should I process this user-generated string before setting it as an alt attribute?

javascript html security user-generated-content
Original Q&A
2

There are 2 answers

0
IbzDawg On

Sanitizing is required so there are no issues with displaying the string. If you are storing the alt attribute in a database then yyou should definitely escape the string.

4
Quentin On

I am using React.js to generate the markup in which this user-generated string is being used as an alt attribute of an img tag

Assuming you mean that you have something along the lines of:

<img alt={this.props.alt} />

… then no, you don't need to do anything. React works on the DOM. You aren't generating HTML source code, so special characters in the data can't be used to inject JavaScript through an XSS vulnerability.

Related Questions in JAVASCRIPT

Related Questions in HTML

Related Questions in SECURITY

Related Questions in USER-GENERATED-CONTENT

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Trending Questions