couchdb-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jan Lehnardt <>
Subject Re: Sanitize before saving to couch document?
Date Wed, 13 May 2015 08:57:14 GMT

> On 13 May 2015, at 05:33, jumbo jim <> wrote:
> I am thinking about user-submitted data that I want to save. I currently
> validate and submit data directly to couch, and when I want to display the
> data back to users.. I escape it first to avoid xss. Validate on input,
> escape on output.
> My question relates specifically to the step when I save the user-submitted
> data to couch. Ie - they submit a string.. and I want to save that to a
> field within a document. Can couchdb accept any arbitrary string for a
> field within a document? I validate against string length. I have observed
> that that special characters (quotes, newlines etc) are automatically
> escaped etc (ie \\n). Couchdb also accepts unicode. Are there any
> situations where I need to be wary about what type of data I save to a
> document that may have been submitted by an evil user?

Ah, you want a validate_doc_update function:

Professional Support for Apache CouchDB:

View raw message