Laravel API and input sanitize

@Sinnbeck Thank you for reply. I applied the Sanitize middleware to the Laravel api. However, it is shown as

<foo>

in the view made with vue.

@whamma are you using v-html="code" ?

@Sinnbeck No. I ask that i should use html sanitize.

@whamma I am unsure what you want. Remove all html before saving to database? Or just make sure it isn't parsed in vue?

@Sinnbeck I just want to know whether or not to sanitize html when developing a normal laravel api project.

@whamma well it depends on what you want. Vue will automatically ensure that any html etc is safe by not parsing it. But let's say you allow people to post some sort of text using a html editor like quill. Then you would want to make sure that the html you save in the database, does not contain script tags or similar

@Sinnbeck So can I only sanitize the values entered in the html editor?

@whamma well suppose you have a field called 'first_name`. You would never show this as html. So worst case you output an escaped html string as the name

And alot of sanitation is already happening as you of course validate all inputs

@Sinnbeck In this case, I do not want the first_name field to be escaped. So I don't want to escape when saving it to the database. But I'm worried that if you do that, you'll be vulnerable to security.

@whamma only if you output it unescaped (v-html or similar)

Both blade and vue will escape it automatically

@Sinnbeck Thank u

@whamma happy to help