Do I need to encode all text user inputs between the page and the back end to prevent these sort of attacks or does the wix code framework do that for me?
1 Like
Wendy, I see that you do not get an answer, so I will try to help you out (I know how frustrating it is not receiving answers).
First, this issue has come up a couple of times in the past. The Wix answer always was something like “do not worry, we take care of it”. I have ran into their filter once and I could not edit my site because I used a function name (in code!!) called “sleep”, which was flagged as an SQL-injection somewhere down the line (it worked a tad to good).
Wix also does not give you access to the DOM, it´s a pretty good controlled environment. The only thing that does give you access to the DOM is the HTML-component. Wix has had some problems there with XSS, so since then (way before Wix Code was even contemplated) they made https mandatory.
So, in short, do we check for XSS, do we sanitize our queries input from text boxes? Nope, we don´t. And so far, I have not witnessed any breaches or great mayhem.
Does this help you?
yes it does thank you.
">