I heard I should not allow users to inject arbitrary text into my webpage without sanitizing it. Is it a clean solution to just eval it on the (node) server, and if it runs not post it because it's obviously JS and not just text?
Any opinions on that?

Do you really want someone else's code to run on your server?

Also, sanitization does not mean that you should block the user from inputting text. I don't know what kind of application you are developing but what if someone needs to input a simple math equation for example? That could possibly be executed by the eval function and blocked because your server will think it is js. Also remember that if you display user submitted text on a website. You are going to want to sanitize html/css as well.

Rule 34 of nodejs states that if you can imagine it, there is a module for it. You can probably just install a sanitization module if you're unsure about how to sanitize input.

@Olverine oh shit, now I'm feeling guilty, because someone actually tried to help me! I thought the irony was obvious 😥😥😥

@eval Haha! You never know! I've seen people be serious about dumber things. :)

Filtering user inputs is extremely important. The worst case scenario I've seen (I was the hacker (ethical, had permission)) was using an XSS flaw (not sanitizing user input resulting in arbitrary JavaScript execution on the web page) to hijack a super admin account. Took me about 15-30 seconds :)

@linuxxx did you just read his password from the input field, or steal session cookies? 😂

@eval Session cookies through XSS :)

@linuxxx in one web application, there was plain xss in the messaging system, it had a send-all feature. 😕😲

The only thing holding me back was client-side validation in the tinyMCE editor. They used a plaintext editor in their app, leading me to discover this bug.

Guess I should never use PHP.

(I reported it ofc)

@leo2807 What does this have to do with PHP? This was just bad server side validation, nothing to do with the programming language :)

@linuxxx sure, but it seems they regretted it, and now they run some weird hybrid system. You're right that it has nothing to do with this tho.

@irene If there is pom of it, there's an non package of it.