I have quite a few inputs in my flutter app that the users can add text into. The data is sent to a cloud function and if valid is inserted into a firestore document. I have recently come across data sanitisation and have started to wonder whether I should be doing this in my cloud functions.

I have read the node js function escape() can do this, however it seems to break certain webURLS that can be inserted by the users.

It seems pointless to escape the data just for firestore to then unescape it back on the flutter app so they can actually click the links.

Is it important to escape all the data (e.g. comments etc.) and If so what approach should be taken with the troublesome URL links.

(Occasionally I might view user input data in a html page. If this could also cause XSS problems, please can you tell me methods to fix it other than escaping before displaying)

Thanks guys


Solution 1: Doug Stevenson

I have recently come across data sanitisation and have started to wonder whether I should be doing this in my cloud functions.

The only safe position to take when writing backend code, such as with Cloud Functions, is never trust data coming from the client. Any inputs shoudld be checked or validated in order to avoid doing something dangerous with malicious data.

It seems pointless to escape the data just for firestore to then unescape it back on the flutter app so they can actually click the links.

Escaping is a necessary part of following protocols. The HTTP protocol dictates what characters can and can't be present in a URL and request body. Anything outside of that, and the data might be rejected, or simply fail altogether.

Is it important to escape all the data (e.g. comments etc.) and If so what approach should be taken with the troublesome URL links.

It's not just important, it's required.

If input data is "troublesome", simply reject it, as it might be malicious.