Hi Xano community,
I have two questions around data field validation.
Recently, we undertook a penetration test which suggested we enforce stricter field validation, mostly to prevent cross-site scripting attacks. While Xano's 'filter' feature has been helpful (see the bottom of this page on Xano's documentation), we have a couple of areas where we could use some additional guidance.
Specifically, we found that users were sending more obscure characters, such as a 'non-breaking space' character (unicode u00a0) and newline characters ( n), which were causing issues with our validation. With some research, we figured out how to whitelist the non-breaking space character: you can directly enter it into the whitelist (Option+Space on mac or Alt+0160 on windows), although it simply appears as a space.
However, we're still unsure how to add non-printable characters to the whitelist, such as the newline character.
My questions are:
- Whitelisting non-printable characters: Is there a specific method for whitelisting non-printable characters like the newline character (
n)? - Character blacklisting: In most cases, blacklisting certain characters rather than whitelisting could be more beneficial for our use case. Is there a way to implement a blacklist in the current 'prevent' filter or elsewhere in the system? From my understanding, the 'prevent' filter is more about phrases than specific characters.
We've tried to search through the documentation and experiment on our own, but haven't been able to find specific answers to these queries. Any insights or guidance would be greatly appreciated!