[{"data":1,"prerenderedAt":268},["ShallowReactive",2],{"blog-glossary/sanitization":3},{"id":4,"title":5,"body":6,"category":243,"date":244,"dateModified":244,"description":245,"draft":246,"extension":247,"faq":248,"featured":246,"headerVariant":252,"image":253,"keywords":253,"meta":254,"navigation":255,"ogDescription":256,"ogTitle":257,"path":258,"readTime":259,"schemaOrg":260,"schemaType":261,"seo":262,"sitemap":263,"stem":264,"tags":265,"twitterCard":266,"__hash__":267},"blog/blog/glossary/sanitization.md","What is Input Sanitization? Cleaning User Data",{"type":7,"value":8,"toc":230},"minimark",[9,16,21,29,33,100,104,109,129,133,142,146,169,178,200,218],[10,11,12],"tldr",{},[13,14,15],"p",{},"Sanitization removes or encodes dangerous characters from user input. Unlike validation (which rejects bad input), sanitization cleans input so it can be safely used. For HTML output, encode special characters. For HTML content users submit, use a library like DOMPurify to strip dangerous tags. Always use parameterized queries for SQL. Sanitization is not a replacement for proper data handling.",[17,18,20],"h2",{"id":19},"the-simple-explanation","The Simple Explanation",[13,22,23,24,28],{},"Users submit data. Some might include malicious code. Sanitization cleans that data before you use it. If a username field contains ",[25,26,27],"code",{},"\u003Cscript>alert('hack')\u003C/script>",", sanitization might strip the tags or encode them so they display as text instead of executing.",[17,30,32],{"id":31},"sanitization-vs-validation","Sanitization vs Validation",[34,35,36,52],"table",{},[37,38,39],"thead",{},[40,41,42,46,49],"tr",{},[43,44,45],"th",{},"Aspect",[43,47,48],{},"Validation",[43,50,51],{},"Sanitization",[53,54,55,67,78,89],"tbody",{},[40,56,57,61,64],{},[58,59,60],"td",{},"What it does",[58,62,63],{},"Checks if input is correct",[58,65,66],{},"Cleans input to make it safe",[40,68,69,72,75],{},[58,70,71],{},"Bad input",[58,73,74],{},"Reject it",[58,76,77],{},"Modify it",[40,79,80,83,86],{},[58,81,82],{},"Example",[58,84,85],{},"Email must have @",[58,87,88],{},"Remove script tags",[40,90,91,94,97],{},[58,92,93],{},"When to use",[58,95,96],{},"Always, first",[58,98,99],{},"After validation if needed",[17,101,103],{"id":102},"common-sanitization-tasks","Common Sanitization Tasks",[105,106,108],"h3",{"id":107},"html-output-encoding","HTML Output Encoding",[110,111,113,121,124,128],"prompt-box",{"title":112},"Encode for HTML display",[13,114,115,116,120],{},"// User input: alert('xss')\n// After encoding: ",[117,118,119],"script",{},"alert('xss')","\n// Displays as text, does not execute",[13,122,123],{},"// In React, automatic with JSX:",[125,126,127],"div",{},"{userInput}","  // Safe by default",[105,130,132],{"id":131},"rich-text-html-content","Rich Text / HTML Content",[110,134,136,139],{"title":135},"Using DOMPurify",[13,137,138],{},"import DOMPurify from 'dompurify';",[13,140,141],{},"// User submits HTML content (like from a rich text editor)\nconst clean = DOMPurify.sanitize(userHtml);\n// Removes script tags, event handlers, dangerous attributes",[17,143,145],{"id":144},"when-not-to-rely-on-sanitization","When Not to Rely on Sanitization",[147,148,149,157,163],"ul",{},[150,151,152,156],"li",{},[153,154,155],"strong",{},"SQL queries:"," Use parameterized queries, not escaping",[150,158,159,162],{},[153,160,161],{},"Shell commands:"," Avoid shell entirely, use library APIs",[150,164,165,168],{},[153,166,167],{},"File paths:"," Use allowlists, not sanitization",[170,171,172],"warning-box",{},[13,173,174,177],{},[153,175,176],{},"Sanitization is not foolproof."," Attackers find bypasses. Use sanitization as defense-in-depth, not your only protection. Combine with validation, parameterized queries, and output encoding.",[179,180,181,188,194],"faq-section",{},[182,183,185],"faq-item",{"question":184},"What is the difference between sanitization and validation?",[13,186,187],{},"Validation checks if input is correct (right format, expected values) and rejects bad input. Sanitization modifies input to make it safe (removing or encoding dangerous characters). Validation says yes or no. Sanitization cleans and allows. Use both: validate first, then sanitize if needed.",[182,189,191],{"question":190},"Should I sanitize input or output?",[13,192,193],{},"Both, but for different purposes. Sanitize input when you need to clean data for storage or processing. Encode output when rendering for a specific context (HTML, JavaScript, SQL). Output encoding is often more reliable because you know the exact context and can apply appropriate encoding.",[182,195,197],{"question":196},"Can sanitization replace parameterized queries?",[13,198,199],{},"No. Parameterized queries separate data from code structurally. Sanitization tries to clean data but can miss edge cases. Always use parameterized queries for SQL. Sanitization is a defense-in-depth measure, not a replacement for proper data handling.",[201,202,203,208,213],"related-articles",{},[204,205],"related-card",{"description":206,"href":207,"title":48},"Checking input correctness","/blog/glossary/validation",[204,209],{"description":210,"href":211,"title":212},"What sanitization prevents","/blog/glossary/xss","XSS",[204,214],{"description":215,"href":216,"title":217},"Attack category","/blog/glossary/injection","Injection",[219,220,223,227],"cta-box",{"href":221,"label":222},"/","Start Free Scan",[17,224,226],{"id":225},"check-your-input-handling","Check Your Input Handling",[13,228,229],{},"Scan your app for sanitization and validation issues.",{"title":231,"searchDepth":232,"depth":232,"links":233},"",2,[234,235,236,241,242],{"id":19,"depth":232,"text":20},{"id":31,"depth":232,"text":32},{"id":102,"depth":232,"text":103,"children":237},[238,240],{"id":107,"depth":239,"text":108},3,{"id":131,"depth":239,"text":132},{"id":144,"depth":232,"text":145},{"id":225,"depth":232,"text":226},"glossary","2026-01-12","Learn what sanitization is, how it differs from validation, and when to use it. Protect your app from malicious input.",false,"md",[249,250,251],{"question":184,"answer":187},{"question":190,"answer":193},{"question":196,"answer":199},"green",null,{},true,"Sanitization cleans user input to remove dangerous content. Learn how to do it right.","What is Input Sanitization?","/blog/glossary/sanitization","4 min read","[object Object]","DefinedTerm",{"title":5,"description":245},{"loc":258},"blog/glossary/sanitization",[],"summary_large_image","CgbJPDIDp2umVgAUEND9ACPT-5AdgsSUBbRtnWcM6-A",1775843922020]