I just realized that since user input scrubbing against JS injection only occurs in the frontend, an attacker could still just manually turn off or bypass string_utils_xss_escape() and get their JS sent to the server. Therefore, it will still be necessary to double-check for any suspicious characters in the db server before approving input for a database query.
ogallagher
commented
4 years ago
I just realized that since user input scrubbing against JS injection only occurs in the frontend, an attacker could still just manually turn off or bypass
string_utils_xss_escape()and get their JS sent to the server. Therefore, it will still be necessary to double-check for any suspicious characters in the db server before approving input for a database query.