> On 13 May 2015, at 05:33, jumbo jim <[email protected]> wrote: > > I am thinking about user-submitted data that I want to save. I currently > validate and submit data directly to couch, and when I want to display the > data back to users.. I escape it first to avoid xss. Validate on input, > escape on output. > > My question relates specifically to the step when I save the user-submitted > data to couch. Ie - they submit a string.. and I want to save that to a > field within a document. Can couchdb accept any arbitrary string for a > field within a document? I validate against string length. I have observed > that that special characters (quotes, newlines etc) are automatically > escaped etc (ie \\n). Couchdb also accepts unicode. Are there any > situations where I need to be wary about what type of data I save to a > document that may have been submitted by an evil user?
Ah, you want a validate_doc_update function: http://docs.couchdb.org/en/1.6.1/couchapp/ddocs.html?highlight=validate_doc_update#validate-document-update-functions Best Jan -- Professional Support for Apache CouchDB: http://www.neighbourhood.ie/couchdb-support/
