I don't see a way to bind parameters to a prepared statement ("formula" in Airtable-speak), so we'll have to settle for sanitizing to avoid injections.
A sql-like injection is probably only an issue for Airtable search. For other operations like inserting new records, we don't need to concatenate our code and user text. However for inserts we'll still need to check for script injection that could harm other users - user input like Bail Fund<script>document.location = "https://badsite.com";</script>. We could do that manually for now if we're reviewing every submitted listing before approving and making it visible on the site.
I don't see a way to bind parameters to a prepared statement ("formula" in Airtable-speak), so we'll have to settle for sanitizing to avoid injections.
A sql-like injection is probably only an issue for Airtable search. For other operations like inserting new records, we don't need to concatenate our code and user text. However for inserts we'll still need to check for script injection that could harm other users - user input like
Bail Fund<script>document.location = "https://badsite.com";</script>. We could do that manually for now if we're reviewing every submitted listing before approving and making it visible on the site.Before
After