I’m building a website similar to twitter. A user can make a post and mention another user using the @username notation.
At first I was going to parse each post server side and add html tags around the @mentions, then render the post as a template.HTML (I’m using Go server side), but then I realized that users would be able to add any html they want, and I don’t want that. Is there a way to render the posts as html while ignoring any html that the user tries to upload? Any code/markup that they upload should be shown in plain text.
Or will it be better to add the markup around the @mentions client side using javascript?
>Solution :
Great worry! This type of HTML injection from user input is a real problem, fortunately, there’s an easy fix, you can escape HTML characters so the browser understands that there’s a literal “<“ character in the text, not the start of a HTML element.
In Go, there’s the html.EscapeString, which you pass the user input and then can safely use inside HTML. So you would sanitize the input and after that parse it and link the @mentions.