Escaping User Input

Article Overview

The following article describes EasySend's escaping user input technique.

What is Escaping User Input?

Escaping user input is a technique used in data protection to ensure that any user-supplied data is treated as plain text rather than executable code or other harmful inputs. It prevents malicious users from injecting harmful scripts or commands into a system, thereby safeguarding applications from attacks like cross-site scripting (XSS), SQL injection, and command injection.

Escaping User Input in EasySend

In EasySend, escaping user input is performed in the scenarios described below.

HTML

For example when injecting user input into a rich text.

PDF 

• Parentheses () should be escaped as \( and \)
• Backslashes \ need to be escaped as \\

Email body

• Escape special characters such as:
  • < → &lt;
  • > → &gt;
  • & → &amp;
  • " → &quot;
• Adding automatic escaping of links and HTML content of model fields which are injected into the body of emails, to prevent potential attacks that might happen in case a user enters some unwanted HTML snippet into a model field which is later injected into the body of an email. This is done by specifying an un-escape modifier to the {{ }} dynamic content injection in the template, for example:
   {{personal.fullName}}, please read the following {{disclaimer.link un-escape}}