Sanitisation is the process of filtering out potentially malicious code from user input.

The process usually involves removing HTML code that can be executed either on the server or other users' browsers.

Unsanitised input is a security risk because it allows attackers to perform XSS and CSRF attacks.


HTML elements like <b>, <em> and <u> are harmless. But a <script> tag can contain JavaScript code that can be executed.

Inline JavaScript

Regular HTML elements can also contain JavaScript code in inline event listeners. These attributes have to be stripped out as well.

<p onload="alert('hi')"></p>

External request

Lastly, there is a group of HTML elements that makes requests to external resources. Examples are <img> and <iframe>. An attacker can utilise the src attribute of these tags to make requests when the element is loaded.

Authentication scaffolding

Starter kits for Laravel, Vue and React.