Rules Hub
Coding Rules Library
Rule priority, scope & exceptions
Use this to align rules with the senior-level structure (P0/P1/P2, scope, exceptions/tradeoffs).
Sanitize every dynamic field that goes into XML/HTML, not just some
Apply the same escaping to all user-provided values written into markup; partial sanitization corrupts output.
Bad example
| 1 | return { |
| 2 | title: sanitizeForXml(article.imageTitle), // sanitized |
| 3 | newsTitle: article.title, // NOT sanitized |
| 4 | keywords: article.tags.join(', '), // NOT sanitized |
| 5 | }; |
Explanation (EN)
Fields that skip the sanitizer let raw entities through; a title like 'Hello world' ends up double-escaped or malformed and renders as garbled text.
Objašnjenje (HR)
Polja koja preskoče sanitizer propuštaju sirove entitete; naslov poput 'Hello world' završi dvostruko escapan ili neispravan i prikazuje se kao iskvaren tekst.
Good example
| 1 | return { |
| 2 | title: sanitizeForXml(article.imageTitle), |
| 3 | newsTitle: sanitizeForXml(article.title), |
| 4 | keywords: sanitizeForXml(article.tags.join(', ')), |
| 5 | }; |
Explanation (EN)
Routing every dynamic field through the same sanitizer guarantees consistent, valid markup output.
Objašnjenje (HR)
Provođenje svakog dinamičkog polja kroz isti sanitizer jamči dosljedan i ispravan izlaz markupa.
Exceptions / Tradeoffs (EN)
Constant, developer-controlled literals do not need sanitizing, but anything sourced from external data does.
Iznimke / Tradeoffi (HR)
Konstantni literali pod kontrolom programera ne trebaju sanitizaciju, ali sve što potječe iz vanjskih podataka treba.