Build-Up - 7 Steps

FoundationUnderstanding user input in Vue

Concept: Learn how Vue captures and binds user input from forms.

In Vue, user input is often captured using v-model on form elements like or

. This creates a two-way binding between the input field and your component's data. For example, <input v-model="name" /> keeps the 'name' data updated as the user types.</div><div class="dlm-step-result "><div class="dlm-result-label">Result</div><div>You can see the data change live as you type in the input field.</div></div><div class="dlm-step-insight"><span class="dlm-insight-icon"><svg stroke="currentColor" fill="currentColor" stroke-width="0" viewBox="0 0 24 24" class="yellow-icon-color" height="22" width="22" xmlns="http://www.w3.org/2000/svg"><path d="M7.94101 18C7.64391 16.7274 6.30412 15.6857 5.75395 14.9992C4.65645 13.6297 4 11.8915 4 10C4 5.58172 7.58172 2 12 2C16.4183 2 20 5.58172 20 10C20 11.8925 19.3428 13.6315 18.2443 15.0014C17.6944 15.687 16.3558 16.7276 16.059 18H7.94101ZM16 20V21C16 22.1046 15.1046 23 14 23H10C8.89543 23 8 22.1046 8 21V20H16ZM13 10.0048V6L8.5 12.0048H11V16.0048L15.5 10.0048H13Z"></path></svg></span><span class="dlm-insight-text">Knowing how Vue binds input data is essential before you can clean or check that data.</span></div></div></div><div class="dlm-buildup-step " style="--step-color:#3b82f6;--step-bg:#eff6ff"><div class="dlm-step-header"><div class="dlm-step-number">2</div><div class="dlm-step-meta"><span class="dlm-level-badge" style="background:#2563eb">Foundation</span><span class="dlm-step-title">What makes input unsafe or problematic</span></div><svg class="dlm-step-chevron " viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2"><polyline points="6 9 12 15 18 9"></polyline></svg></div><div class="dlm-step-body d-none"><div class="dlm-self-check d-none"><span class="dlm-self-check-icon">🤔</span><span></span></div><div class="dlm-step-concept"><strong>Concept:</strong> <span>Identify common unsafe input types like scripts or special characters.</span></div><div class="dlm-step-content">Users can type anything, including HTML tags, JavaScript code, or strange symbols. For example, typing <script>alert('hi')</script> could cause your app to run unwanted code if not handled properly. Unsafe input can cause bugs, crashes, or security holes.</div><div class="dlm-step-result "><div class="dlm-result-label">Result</div><div>You understand why raw user input can be dangerous if used directly.</div></div><div class="dlm-step-insight"><span class="dlm-insight-icon"><svg stroke="currentColor" fill="currentColor" stroke-width="0" viewBox="0 0 24 24" class="yellow-icon-color" height="22" width="22" xmlns="http://www.w3.org/2000/svg"><path d="M7.94101 18C7.64391 16.7274 6.30412 15.6857 5.75395 14.9992C4.65645 13.6297 4 11.8915 4 10C4 5.58172 7.58172 2 12 2C16.4183 2 20 5.58172 20 10C20 11.8925 19.3428 13.6315 18.2443 15.0014C17.6944 15.687 16.3558 16.7276 16.059 18H7.94101ZM16 20V21C16 22.1046 15.1046 23 14 23H10C8.89543 23 8 22.1046 8 21V20H16ZM13 10.0048V6L8.5 12.0048H11V16.0048L15.5 10.0048H13Z"></path></svg></span><span class="dlm-insight-text">Recognizing unsafe input types helps you see why sanitizing is necessary.</span></div></div></div><div class="dlm-buildup-step " style="--step-color:#eab308;--step-bg:#fefce8"><div class="dlm-step-header"><div class="dlm-step-number">3</div><div class="dlm-step-meta"><span class="dlm-level-badge" style="background:#ca8a04">Intermediate</span><span class="dlm-step-title">Basic sanitizing with built-in JavaScript methods</span></div><svg class="dlm-step-chevron " viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2"><polyline points="6 9 12 15 18 9"></polyline></svg></div><div class="dlm-step-body d-none"><div class="dlm-self-check "><span class="dlm-self-check-icon">🤔</span><span>Before reading on: do you think simply removing < and > characters is enough to sanitize input? Commit to your answer.</span></div><div class="dlm-step-concept"><strong>Concept:</strong> <span>Use simple string methods to remove or replace harmful characters.</span></div><div class="dlm-step-content">You can use JavaScript methods like replace() to remove characters like < and > from input strings. For example, input.replace(/</g, '<').replace(/>/g, '>') changes < and > to safe HTML entities. This prevents browsers from interpreting input as code.</div><div class="dlm-step-result "><div class="dlm-result-label">Result</div><div>Input like <script> becomes <script>, which shows as text instead of running code.</div></div><div class="dlm-step-insight"><span class="dlm-insight-icon"><svg stroke="currentColor" fill="currentColor" stroke-width="0" viewBox="0 0 24 24" class="yellow-icon-color" height="22" width="22" xmlns="http://www.w3.org/2000/svg"><path d="M7.94101 18C7.64391 16.7274 6.30412 15.6857 5.75395 14.9992C4.65645 13.6297 4 11.8915 4 10C4 5.58172 7.58172 2 12 2C16.4183 2 20 5.58172 20 10C20 11.8925 19.3428 13.6315 18.2443 15.0014C17.6944 15.687 16.3558 16.7276 16.059 18H7.94101ZM16 20V21C16 22.1046 15.1046 23 14 23H10C8.89543 23 8 22.1046 8 21V20H16ZM13 10.0048V6L8.5 12.0048H11V16.0048L15.5 10.0048H13Z"></path></svg></span><span class="dlm-insight-text">Understanding basic string replacement is a first step but not always enough for full security.</span></div></div></div><div class="dlm-buildup-step " style="--step-color:#eab308;--step-bg:#fefce8"><div class="dlm-step-header"><div class="dlm-step-number">4</div><div class="dlm-step-meta"><span class="dlm-level-badge" style="background:#ca8a04">Intermediate</span><span class="dlm-step-title">Using libraries for robust sanitizing</span></div><svg class="dlm-step-chevron " viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2"><polyline points="6 9 12 15 18 9"></polyline></svg></div><div class="dlm-step-body d-none"><div class="dlm-self-check "><span class="dlm-self-check-icon">🤔</span><span>Before reading on: do you think writing your own sanitizer is safer than using a well-tested library? Commit to your answer.</span></div><div class="dlm-step-concept"><strong>Concept:</strong> <span>Leverage trusted libraries like DOMPurify to clean input safely and easily.</span></div><div class="dlm-step-content">DOMPurify is a popular library that removes dangerous HTML and scripts from input. You can install it and use it in Vue by importing and calling DOMPurify.sanitize(userInput). It handles many edge cases and is regularly updated for security.</div><div class="dlm-step-result "><div class="dlm-result-label">Result</div><div>Input with complex scripts or tags is cleaned safely without breaking your app.</div></div><div class="dlm-step-insight"><span class="dlm-insight-icon"><svg stroke="currentColor" fill="currentColor" stroke-width="0" viewBox="0 0 24 24" class="yellow-icon-color" height="22" width="22" xmlns="http://www.w3.org/2000/svg"><path d="M7.94101 18C7.64391 16.7274 6.30412 15.6857 5.75395 14.9992C4.65645 13.6297 4 11.8915 4 10C4 5.58172 7.58172 2 12 2C16.4183 2 20 5.58172 20 10C20 11.8925 19.3428 13.6315 18.2443 15.0014C17.6944 15.687 16.3558 16.7276 16.059 18H7.94101ZM16 20V21C16 22.1046 15.1046 23 14 23H10C8.89543 23 8 22.1046 8 21V20H16ZM13 10.0048V6L8.5 12.0048H11V16.0048L15.5 10.0048H13Z"></path></svg></span><span class="dlm-insight-text">Using a tested library reduces risks and saves time compared to custom solutions.</span></div></div></div><div class="dlm-buildup-step " style="--step-color:#eab308;--step-bg:#fefce8"><div class="dlm-step-header"><div class="dlm-step-number">5</div><div class="dlm-step-meta"><span class="dlm-level-badge" style="background:#ca8a04">Intermediate</span><span class="dlm-step-title">Sanitizing input before rendering in Vue templates</span></div><svg class="dlm-step-chevron " viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2"><polyline points="6 9 12 15 18 9"></polyline></svg></div><div class="dlm-step-body d-none"><div class="dlm-self-check d-none"><span class="dlm-self-check-icon">🤔</span><span></span></div><div class="dlm-step-concept"><strong>Concept:</strong> <span>Apply sanitizing to user input before showing it in the app to prevent XSS attacks.</span></div><div class="dlm-step-content">When displaying user input in Vue templates, use sanitized data. For example, in your component, create a computed property that returns sanitized input, then bind it in the template with {{ sanitizedInput }}. Avoid using v-html with raw user input unless sanitized.</div><div class="dlm-step-result "><div class="dlm-result-label">Result</div><div>Your app shows user input safely without running harmful code.</div></div><div class="dlm-step-insight"><span class="dlm-insight-icon"><svg stroke="currentColor" fill="currentColor" stroke-width="0" viewBox="0 0 24 24" class="yellow-icon-color" height="22" width="22" xmlns="http://www.w3.org/2000/svg"><path d="M7.94101 18C7.64391 16.7274 6.30412 15.6857 5.75395 14.9992C4.65645 13.6297 4 11.8915 4 10C4 5.58172 7.58172 2 12 2C16.4183 2 20 5.58172 20 10C20 11.8925 19.3428 13.6315 18.2443 15.0014C17.6944 15.687 16.3558 16.7276 16.059 18H7.94101ZM16 20V21C16 22.1046 15.1046 23 14 23H10C8.89543 23 8 22.1046 8 21V20H16ZM13 10.0048V6L8.5 12.0048H11V16.0048L15.5 10.0048H13Z"></path></svg></span><span class="dlm-insight-text">Sanitizing before rendering is key to stopping cross-site scripting (XSS) attacks.</span></div></div></div><div class="dlm-buildup-step " style="--step-color:#ef4444;--step-bg:#fef2f2"><div class="dlm-step-header"><div class="dlm-step-number">6</div><div class="dlm-step-meta"><span class="dlm-level-badge" style="background:#dc2626">Advanced</span><span class="dlm-step-title">Sanitizing input in Vue with reactive forms</span></div><svg class="dlm-step-chevron " viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2"><polyline points="6 9 12 15 18 9"></polyline></svg></div><div class="dlm-step-body d-none"><div class="dlm-self-check "><span class="dlm-self-check-icon">🤔</span><span>Before reading on: do you think sanitizing input only on submit is enough, or should it happen as the user types? Commit to your answer.</span></div><div class="dlm-step-concept"><strong>Concept:</strong> <span>Integrate sanitizing into reactive form handling for real-time safety.</span></div><div class="dlm-step-content">In Vue, you can watch input data with watchers or use computed setters to sanitize input as the user types. This prevents unsafe data from ever entering your app state. For example, a watcher on 'name' can update it with sanitized content immediately.</div><div class="dlm-step-result "><div class="dlm-result-label">Result</div><div>Your app state always holds clean data, reducing risks and bugs.</div></div><div class="dlm-step-insight"><span class="dlm-insight-icon"><svg stroke="currentColor" fill="currentColor" stroke-width="0" viewBox="0 0 24 24" class="yellow-icon-color" height="22" width="22" xmlns="http://www.w3.org/2000/svg"><path d="M7.94101 18C7.64391 16.7274 6.30412 15.6857 5.75395 14.9992C4.65645 13.6297 4 11.8915 4 10C4 5.58172 7.58172 2 12 2C16.4183 2 20 5.58172 20 10C20 11.8925 19.3428 13.6315 18.2443 15.0014C17.6944 15.687 16.3558 16.7276 16.059 18H7.94101ZM16 20V21C16 22.1046 15.1046 23 14 23H10C8.89543 23 8 22.1046 8 21V20H16ZM13 10.0048V6L8.5 12.0048H11V16.0048L15.5 10.0048H13Z"></path></svg></span><span class="dlm-insight-text">Sanitizing early in the data flow prevents unsafe data from spreading in your app.</span></div></div></div><div class="dlm-buildup-step " style="--step-color:#8b5cf6;--step-bg:#f5f3ff"><div class="dlm-step-header"><div class="dlm-step-number">7</div><div class="dlm-step-meta"><span class="dlm-level-badge" style="background:#7c3aed">Expert</span><span class="dlm-step-title">Handling sanitizing with server-side rendering (SSR)</span></div><svg class="dlm-step-chevron " viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2"><polyline points="6 9 12 15 18 9"></polyline></svg></div><div class="dlm-step-body d-none"><div class="dlm-self-check "><span class="dlm-self-check-icon">🤔</span><span>Before reading on: do you think sanitizing only on the client side is enough when using SSR? Commit to your answer.</span></div><div class="dlm-step-concept"><strong>Concept:</strong> <span>Understand sanitizing challenges and strategies when Vue apps render on the server.</span></div><div class="dlm-step-content">With SSR, user input might be rendered on the server before reaching the browser. You must sanitize input both on server and client to avoid injecting unsafe content. This means integrating sanitizing libraries in your server code and ensuring consistent sanitizing logic.</div><div class="dlm-step-result "><div class="dlm-result-label">Result</div><div>Your app stays safe regardless of where rendering happens.</div></div><div class="dlm-step-insight"><span class="dlm-insight-icon"><svg stroke="currentColor" fill="currentColor" stroke-width="0" viewBox="0 0 24 24" class="yellow-icon-color" height="22" width="22" xmlns="http://www.w3.org/2000/svg"><path d="M7.94101 18C7.64391 16.7274 6.30412 15.6857 5.75395 14.9992C4.65645 13.6297 4 11.8915 4 10C4 5.58172 7.58172 2 12 2C16.4183 2 20 5.58172 20 10C20 11.8925 19.3428 13.6315 18.2443 15.0014C17.6944 15.687 16.3558 16.7276 16.059 18H7.94101ZM16 20V21C16 22.1046 15.1046 23 14 23H10C8.89543 23 8 22.1046 8 21V20H16ZM13 10.0048V6L8.5 12.0048H11V16.0048L15.5 10.0048H13Z"></path></svg></span><span class="dlm-insight-text">Knowing SSR sanitizing prevents security holes that appear only in server-rendered apps.</span></div></div></div></div></div></article><article class="content-card dlm-card"><div class="code-articles-card-header"><span class="card-icon tips"><span class="new-material-symbols icon-hw-24"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 -960 960 960" fill="#F59E0B"><path d="M580-80q-25 0-42.5-17.5T520-140v-200q0-18 9-32t24-22l20 39q4 7 10 11t14 4q15 0 23-12.5t1-26.5l-11-21h60l23 45q4 7 10 11t14 4q15 0 23-12.5t1-26.5l-11-21h60l23 45q4 7 10 11t14 4q15 0 23-12.5t1-26.5l-11-21h10q25 0 42.5 17.5T920-340v200q0 25-17.5 42.5T860-80H580Zm0-60h280v-140H580v140Zm12-343q-15 8-31 2.5T537-501q-8-17-22.5-28T482-540q-25 0-42.5 17T422-481q0 18 9.5 32.5T458-426q15 8 21 23.5t-2 30.5q-8 15-23.5 21t-30.5-2q-38-17-59.5-51T342-480q0-58 41-99t99-41q42 0 76.5 22t51.5 60q8 15 2.5 31T592-483ZM411-80q-17 0-30-11t-15-28l-12-89q-13-5-24.5-12T307-235l-62 26q-25 11-50 2t-39-32l-47-82q-14-23-8-49t27-43l53-40q-1-7-1-13.5v-27q0-6.5 1-13.5l-53-40q-21-17-27-43t8-49l47-82q14-23 39-32t50 2l62 26q11-8 23-15t24-12l8-66q3-27 23-44.5t47-17.5h96q27 0 47 17.5t23 44.5l8 66q13 5 24.5 12t22.5 15l60-26q25-11 50.5-2t39.5 32l47 82q14 23 8.5 49T832-547l-46 35q-14 10-30 8t-26-16q-10-14-7.5-30t15.5-26l39-30-39-68-99 42q-22-23-48.5-38.5T533-694l-13-106h-79l-14 106q-31 8-57.5 23.5T321-633l-99-41-39 68 86 64q-5 15-7 30t-2 32q0 16 2 31t7 30l-86 65 39 68 99-42q24 25 54 42t65 22v150q0 14-8 24t-21 10Zm70-401Zm0 0Z"></path></svg></span></span><span class="codefly-card-title">Under the Hood</span></div><div class="code-articles-card-body"><div class="dlm-mechanism-text">Sanitizing works by scanning the input string and removing or replacing characters and patterns that could be interpreted as code or harmful instructions. Libraries like DOMPurify parse the input as HTML, then remove dangerous tags, attributes, and scripts before returning safe content. This prevents browsers from executing injected code when rendering.</div><div class="dlm-design-reason "><div class="dlm-design-reason-label">Why designed this way?</div><div>Sanitizing was designed to protect apps from attacks like cross-site scripting (XSS), where attackers inject malicious code through user input. Early web apps trusted raw input, causing many security breaches. Sanitizing balances allowing rich user content while blocking harmful parts. Libraries evolved to handle complex edge cases browsers allow.</div></div><div class="dlm-ascii-visual mechanism-diagram "><pre>User Input
   ↓
[Sanitizer Engine]
   ├─ Remove <script> tags
   ├─ Escape special characters
   ├─ Strip event handlers (onclick)
   └─ Return clean string
   ↓
Safe Output for Rendering</pre></div></div></article><article class="content-card dlm-card"><div class="code-articles-card-header"><span class="card-icon project"><span class="new-material-symbols icon-hw-24"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 -960 960 960" fill="#EF4444"><path d="M193.33-80q-30.25 0-51.79-21.54T120-153.33v-173.34q0-30.25 21.54-51.79T193.33-400h573.34q30.25 0 51.79 21.54T840-326.67v173.34q0 30.25-21.54 51.79T766.67-80H193.33Zm-6.66-66.67h586.66v-186.66H186.67v186.66Zm252-558.66 86-153.34q4.33-7.66 11.33-11 7-3.33 14.67-1.33 7.66 2 13.3 6.5 5.63 4.5 7.36 13.5L600-677.33 768-724q9-2.33 16.17.67 7.16 3 11.5 9 4.33 6 4.66 13.33.34 7.33-5 15L694-541.33l43 25q12 7.33 15.17 20.66 3.16 13.34-4.17 25.34t-21 15.16q-13.67 3.17-25.67-4.16l-71.33-44q-12.67-7.67-15.33-21.5-2.67-13.84 5.66-25.84l51-75.33-124.66 29-22-123.33-65.34 113-106.66-77.34L387-557.33l-129.33 22.66L288-516.33q12 6.66 15.5 19.66t-3.17 25q-6.66 12-20 15.5-13.33 3.5-25.33-3.16l-132.67-76q-7.66-4.34-10.83-11.34t-1.17-14.66q2-7.67 6.84-12.84 4.83-5.16 13.83-7.16l172.33-29.34-46-170q-2.33-9 .34-15.83 2.66-6.83 8.66-11.17 6-4.33 13.67-4.66 7.67-.34 15.33 5l143.34 102Zm41 246ZM480-240Z"></path></svg></span></span><span class="codefly-card-title">Myth Busters - 4 Common Misconceptions</span></div><div class="code-articles-card-body"><div class="dlm-myths-grid"><div class="dlm-myth-card "><div class="dlm-myth-front "><div class="dlm-myth-self-check">Quick: Is escaping < and > characters enough to prevent all XSS attacks? Commit to yes or no.</div><div class="dlm-myth-belief"><span class="dlm-myth-label"><span class="new-material-symbols icon-hw-20"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 -960 960 960" fill="#EF4444"><path d="m480-433.33 124.67 124.66Q614.33-299 628-299q13.67 0 23.33-9.67Q661-318.33 661-332q0-13.67-9.67-23.33L526.67-480l124.66-124.67Q661-614.33 661-628q0-13.67-9.67-23.33Q641.67-661 628-661q-13.67 0-23.33 9.67L480-526.67 355.33-651.33Q345.67-661 332-661q-13.67 0-23.33 9.67Q299-641.67 299-628q0 13.67 9.67 23.33L433.33-480 308.67-355.33Q299-345.67 299-332q0 13.67 9.67 23.33Q318.33-299 332-299q13.67 0 23.33-9.67L480-433.33ZM480-80q-82.33 0-155.33-31.5-73-31.5-127.34-85.83Q143-251.67 111.5-324.67T80-480q0-83 31.5-156t85.83-127q54.34-54 127.34-85.5T480-880q83 0 156 31.5T763-763q54 54 85.5 127T880-480q0 82.33-31.5 155.33-31.5 73-85.5 127.34Q709-143 636-111.5T480-80Z"></path></svg></span>Common Belief:</span><span>Escaping < and > characters fully protects against all script injection.</span></div><div class="dlm-myth-tap">Tap to reveal reality <svg stroke="currentColor" fill="currentColor" stroke-width="0" viewBox="0 0 16 16" class="yellow-icon-color ms-1 mb-1" height="18" width="18" xmlns="http://www.w3.org/2000/svg"><path d="M8.5 1.75v2.716l.047-.002c.312-.012.742-.016 1.051.046.28.056.543.18.738.288.273.152.456.385.56.642l.132-.012c.312-.024.794-.038 1.158.108.37.148.689.487.88.716q.113.137.195.248h.582a2 2 0 0 1 1.99 2.199l-.272 2.715a3.5 3.5 0 0 1-.444 1.389l-1.395 2.441A1.5 1.5 0 0 1 12.42 16H6.118a1.5 1.5 0 0 1-1.342-.83l-1.215-2.43L1.07 8.589a1.517 1.517 0 0 1 2.373-1.852L5 8.293V1.75a1.75 1.75 0 0 1 3.5 0"></path></svg></div></div><div class="dlm-myth-back d-none"><div class="dlm-myth-reality"><span class="dlm-myth-label"><span class="new-material-symbols icon-hw-20"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 -960 960 960" fill="#10B981"><path d="m422-395.33-94-94q-9.67-9.67-24-9.67t-24.67 10.33q-9.66 9.67-9.66 24 0 14.34 9.66 24l119.34 120q10 10 23.33 10 13.33 0 23.33-10L680-555.33q10.33-10.34 10.33-24.67 0-14.33-10.33-24.67-10.33-9.66-25-9.33-14.67.33-24.33 10L422-395.33ZM480-80q-82.33 0-155.33-31.5-73-31.5-127.34-85.83Q143-251.67 111.5-324.67T80-480q0-83 31.5-156t85.83-127q54.34-54 127.34-85.5T480-880q83 0 156 31.5T763-763q54 54 85.5 127T880-480q0 82.33-31.5 155.33-31.5 73-85.5 127.34Q709-143 636-111.5T480-80Z"></path></svg></span>Reality:</span><span>Escaping only < and > is not enough because attackers can use other vectors like event handlers or encoded characters.</span></div><div class="dlm-myth-why"><span class="dlm-myth-label"><span class="new-material-symbols icon-hw-20"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 -960 960 960" fill="#10B981"><path d="M459-60q-10-3.33-19-10L186.67-260q-12.34-9-19.5-23.33-7.17-14.34-7.17-30v-500q0-27 19.83-46.84Q199.67-880 226.67-880h506.66q27 0 46.84 19.83Q800-840.33 800-813.33v500q0 15.66-7.17 30-7.16 14.33-19.5 23.33L520-70q-9 6.67-19 10t-21 3.33q-11 0-21-3.33Zm-21.67-394-70.66-70.67q-10-10-23.34-9.83-13.33.17-23.33 9.83-10 10-10.17 23.5-.16 13.5 9.84 23.5l95 94.34q10 10 23.33 10 13.33 0 23.33-10l179.34-179.34q10-10 9.5-23.33-.5-13.33-10.17-23.33-10-10-23.5-10.17-13.5-.17-23.5 9.83L437.33-454Z"></path></svg></span>Why it matters:</span><span>Relying on partial escaping leaves your app vulnerable to attacks that bypass simple filters.</span></div></div></div><div class="dlm-myth-card "><div class="dlm-myth-front "><div class="dlm-myth-self-check">Quick: Should you trust user input after sanitizing it once? Commit to yes or no.</div><div class="dlm-myth-belief"><span class="dlm-myth-label"><span class="new-material-symbols icon-hw-20"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 -960 960 960" fill="#EF4444"><path d="m480-433.33 124.67 124.66Q614.33-299 628-299q13.67 0 23.33-9.67Q661-318.33 661-332q0-13.67-9.67-23.33L526.67-480l124.66-124.67Q661-614.33 661-628q0-13.67-9.67-23.33Q641.67-661 628-661q-13.67 0-23.33 9.67L480-526.67 355.33-651.33Q345.67-661 332-661q-13.67 0-23.33 9.67Q299-641.67 299-628q0 13.67 9.67 23.33L433.33-480 308.67-355.33Q299-345.67 299-332q0 13.67 9.67 23.33Q318.33-299 332-299q13.67 0 23.33-9.67L480-433.33ZM480-80q-82.33 0-155.33-31.5-73-31.5-127.34-85.83Q143-251.67 111.5-324.67T80-480q0-83 31.5-156t85.83-127q54.34-54 127.34-85.5T480-880q83 0 156 31.5T763-763q54 54 85.5 127T880-480q0 82.33-31.5 155.33-31.5 73-85.5 127.34Q709-143 636-111.5T480-80Z"></path></svg></span>Common Belief:</span><span>Once input is sanitized, it is always safe to use anywhere in the app.</span></div><div class="dlm-myth-tap">Tap to reveal reality <svg stroke="currentColor" fill="currentColor" stroke-width="0" viewBox="0 0 16 16" class="yellow-icon-color ms-1 mb-1" height="18" width="18" xmlns="http://www.w3.org/2000/svg"><path d="M8.5 1.75v2.716l.047-.002c.312-.012.742-.016 1.051.046.28.056.543.18.738.288.273.152.456.385.56.642l.132-.012c.312-.024.794-.038 1.158.108.37.148.689.487.88.716q.113.137.195.248h.582a2 2 0 0 1 1.99 2.199l-.272 2.715a3.5 3.5 0 0 1-.444 1.389l-1.395 2.441A1.5 1.5 0 0 1 12.42 16H6.118a1.5 1.5 0 0 1-1.342-.83l-1.215-2.43L1.07 8.589a1.517 1.517 0 0 1 2.373-1.852L5 8.293V1.75a1.75 1.75 0 0 1 3.5 0"></path></svg></div></div><div class="dlm-myth-back d-none"><div class="dlm-myth-reality"><span class="dlm-myth-label"><span class="new-material-symbols icon-hw-20"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 -960 960 960" fill="#10B981"><path d="m422-395.33-94-94q-9.67-9.67-24-9.67t-24.67 10.33q-9.66 9.67-9.66 24 0 14.34 9.66 24l119.34 120q10 10 23.33 10 13.33 0 23.33-10L680-555.33q10.33-10.34 10.33-24.67 0-14.33-10.33-24.67-10.33-9.66-25-9.33-14.67.33-24.33 10L422-395.33ZM480-80q-82.33 0-155.33-31.5-73-31.5-127.34-85.83Q143-251.67 111.5-324.67T80-480q0-83 31.5-156t85.83-127q54.34-54 127.34-85.5T480-880q83 0 156 31.5T763-763q54 54 85.5 127T880-480q0 82.33-31.5 155.33-31.5 73-85.5 127.34Q709-143 636-111.5T480-80Z"></path></svg></span>Reality:</span><span>Sanitized input can become unsafe again if transformed or combined with other data without re-sanitizing.</span></div><div class="dlm-myth-why"><span class="dlm-myth-label"><span class="new-material-symbols icon-hw-20"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 -960 960 960" fill="#10B981"><path d="M459-60q-10-3.33-19-10L186.67-260q-12.34-9-19.5-23.33-7.17-14.34-7.17-30v-500q0-27 19.83-46.84Q199.67-880 226.67-880h506.66q27 0 46.84 19.83Q800-840.33 800-813.33v500q0 15.66-7.17 30-7.16 14.33-19.5 23.33L520-70q-9 6.67-19 10t-21 3.33q-11 0-21-3.33Zm-21.67-394-70.66-70.67q-10-10-23.34-9.83-13.33.17-23.33 9.83-10 10-10.17 23.5-.16 13.5 9.84 23.5l95 94.34q10 10 23.33 10 13.33 0 23.33-10l179.34-179.34q10-10 9.5-23.33-.5-13.33-10.17-23.33-10-10-23.5-10.17-13.5-.17-23.5 9.83L437.33-454Z"></path></svg></span>Why it matters:</span><span>Assuming sanitized input is always safe can cause hidden security holes later in the app.</span></div></div></div><div class="dlm-myth-card "><div class="dlm-myth-front "><div class="dlm-myth-self-check">Quick: Is writing your own sanitizer safer than using a popular library? Commit to yes or no.</div><div class="dlm-myth-belief"><span class="dlm-myth-label"><span class="new-material-symbols icon-hw-20"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 -960 960 960" fill="#EF4444"><path d="m480-433.33 124.67 124.66Q614.33-299 628-299q13.67 0 23.33-9.67Q661-318.33 661-332q0-13.67-9.67-23.33L526.67-480l124.66-124.67Q661-614.33 661-628q0-13.67-9.67-23.33Q641.67-661 628-661q-13.67 0-23.33 9.67L480-526.67 355.33-651.33Q345.67-661 332-661q-13.67 0-23.33 9.67Q299-641.67 299-628q0 13.67 9.67 23.33L433.33-480 308.67-355.33Q299-345.67 299-332q0 13.67 9.67 23.33Q318.33-299 332-299q13.67 0 23.33-9.67L480-433.33ZM480-80q-82.33 0-155.33-31.5-73-31.5-127.34-85.83Q143-251.67 111.5-324.67T80-480q0-83 31.5-156t85.83-127q54.34-54 127.34-85.5T480-880q83 0 156 31.5T763-763q54 54 85.5 127T880-480q0 82.33-31.5 155.33-31.5 73-85.5 127.34Q709-143 636-111.5T480-80Z"></path></svg></span>Common Belief:</span><span>Custom sanitizers are safer because you control exactly what happens.</span></div><div class="dlm-myth-tap">Tap to reveal reality <svg stroke="currentColor" fill="currentColor" stroke-width="0" viewBox="0 0 16 16" class="yellow-icon-color ms-1 mb-1" height="18" width="18" xmlns="http://www.w3.org/2000/svg"><path d="M8.5 1.75v2.716l.047-.002c.312-.012.742-.016 1.051.046.28.056.543.18.738.288.273.152.456.385.56.642l.132-.012c.312-.024.794-.038 1.158.108.37.148.689.487.88.716q.113.137.195.248h.582a2 2 0 0 1 1.99 2.199l-.272 2.715a3.5 3.5 0 0 1-.444 1.389l-1.395 2.441A1.5 1.5 0 0 1 12.42 16H6.118a1.5 1.5 0 0 1-1.342-.83l-1.215-2.43L1.07 8.589a1.517 1.517 0 0 1 2.373-1.852L5 8.293V1.75a1.75 1.75 0 0 1 3.5 0"></path></svg></div></div><div class="dlm-myth-back d-none"><div class="dlm-myth-reality"><span class="dlm-myth-label"><span class="new-material-symbols icon-hw-20"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 -960 960 960" fill="#10B981"><path d="m422-395.33-94-94q-9.67-9.67-24-9.67t-24.67 10.33q-9.66 9.67-9.66 24 0 14.34 9.66 24l119.34 120q10 10 23.33 10 13.33 0 23.33-10L680-555.33q10.33-10.34 10.33-24.67 0-14.33-10.33-24.67-10.33-9.66-25-9.33-14.67.33-24.33 10L422-395.33ZM480-80q-82.33 0-155.33-31.5-73-31.5-127.34-85.83Q143-251.67 111.5-324.67T80-480q0-83 31.5-156t85.83-127q54.34-54 127.34-85.5T480-880q83 0 156 31.5T763-763q54 54 85.5 127T880-480q0 82.33-31.5 155.33-31.5 73-85.5 127.34Q709-143 636-111.5T480-80Z"></path></svg></span>Reality:</span><span>Custom sanitizers often miss edge cases and are less tested, making them less safe than well-maintained libraries.</span></div><div class="dlm-myth-why"><span class="dlm-myth-label"><span class="new-material-symbols icon-hw-20"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 -960 960 960" fill="#10B981"><path d="M459-60q-10-3.33-19-10L186.67-260q-12.34-9-19.5-23.33-7.17-14.34-7.17-30v-500q0-27 19.83-46.84Q199.67-880 226.67-880h506.66q27 0 46.84 19.83Q800-840.33 800-813.33v500q0 15.66-7.17 30-7.16 14.33-19.5 23.33L520-70q-9 6.67-19 10t-21 3.33q-11 0-21-3.33Zm-21.67-394-70.66-70.67q-10-10-23.34-9.83-13.33.17-23.33 9.83-10 10-10.17 23.5-.16 13.5 9.84 23.5l95 94.34q10 10 23.33 10 13.33 0 23.33-10l179.34-179.34q10-10 9.5-23.33-.5-13.33-10.17-23.33-10-10-23.5-10.17-13.5-.17-23.5 9.83L437.33-454Z"></path></svg></span>Why it matters:</span><span>Using untested sanitizers can introduce new vulnerabilities instead of fixing them.</span></div></div></div><div class="dlm-myth-card "><div class="dlm-myth-front "><div class="dlm-myth-self-check">Quick: Is sanitizing only needed on the client side? Commit to yes or no.</div><div class="dlm-myth-belief"><span class="dlm-myth-label"><span class="new-material-symbols icon-hw-20"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 -960 960 960" fill="#EF4444"><path d="m480-433.33 124.67 124.66Q614.33-299 628-299q13.67 0 23.33-9.67Q661-318.33 661-332q0-13.67-9.67-23.33L526.67-480l124.66-124.67Q661-614.33 661-628q0-13.67-9.67-23.33Q641.67-661 628-661q-13.67 0-23.33 9.67L480-526.67 355.33-651.33Q345.67-661 332-661q-13.67 0-23.33 9.67Q299-641.67 299-628q0 13.67 9.67 23.33L433.33-480 308.67-355.33Q299-345.67 299-332q0 13.67 9.67 23.33Q318.33-299 332-299q13.67 0 23.33-9.67L480-433.33ZM480-80q-82.33 0-155.33-31.5-73-31.5-127.34-85.83Q143-251.67 111.5-324.67T80-480q0-83 31.5-156t85.83-127q54.34-54 127.34-85.5T480-880q83 0 156 31.5T763-763q54 54 85.5 127T880-480q0 82.33-31.5 155.33-31.5 73-85.5 127.34Q709-143 636-111.5T480-80Z"></path></svg></span>Common Belief:</span><span>Sanitizing on the client side is enough to protect the app.</span></div><div class="dlm-myth-tap">Tap to reveal reality <svg stroke="currentColor" fill="currentColor" stroke-width="0" viewBox="0 0 16 16" class="yellow-icon-color ms-1 mb-1" height="18" width="18" xmlns="http://www.w3.org/2000/svg"><path d="M8.5 1.75v2.716l.047-.002c.312-.012.742-.016 1.051.046.28.056.543.18.738.288.273.152.456.385.56.642l.132-.012c.312-.024.794-.038 1.158.108.37.148.689.487.88.716q.113.137.195.248h.582a2 2 0 0 1 1.99 2.199l-.272 2.715a3.5 3.5 0 0 1-.444 1.389l-1.395 2.441A1.5 1.5 0 0 1 12.42 16H6.118a1.5 1.5 0 0 1-1.342-.83l-1.215-2.43L1.07 8.589a1.517 1.517 0 0 1 2.373-1.852L5 8.293V1.75a1.75 1.75 0 0 1 3.5 0"></path></svg></div></div><div class="dlm-myth-back d-none"><div class="dlm-myth-reality"><span class="dlm-myth-label"><span class="new-material-symbols icon-hw-20"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 -960 960 960" fill="#10B981"><path d="m422-395.33-94-94q-9.67-9.67-24-9.67t-24.67 10.33q-9.66 9.67-9.66 24 0 14.34 9.66 24l119.34 120q10 10 23.33 10 13.33 0 23.33-10L680-555.33q10.33-10.34 10.33-24.67 0-14.33-10.33-24.67-10.33-9.66-25-9.33-14.67.33-24.33 10L422-395.33ZM480-80q-82.33 0-155.33-31.5-73-31.5-127.34-85.83Q143-251.67 111.5-324.67T80-480q0-83 31.5-156t85.83-127q54.34-54 127.34-85.5T480-880q83 0 156 31.5T763-763q54 54 85.5 127T880-480q0 82.33-31.5 155.33-31.5 73-85.5 127.34Q709-143 636-111.5T480-80Z"></path></svg></span>Reality:</span><span>Sanitizing must happen on both client and server to prevent attacks from bypassing client checks.</span></div><div class="dlm-myth-why"><span class="dlm-myth-label"><span class="new-material-symbols icon-hw-20"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 -960 960 960" fill="#10B981"><path d="M459-60q-10-3.33-19-10L186.67-260q-12.34-9-19.5-23.33-7.17-14.34-7.17-30v-500q0-27 19.83-46.84Q199.67-880 226.67-880h506.66q27 0 46.84 19.83Q800-840.33 800-813.33v500q0 15.66-7.17 30-7.16 14.33-19.5 23.33L520-70q-9 6.67-19 10t-21 3.33q-11 0-21-3.33Zm-21.67-394-70.66-70.67q-10-10-23.34-9.83-13.33.17-23.33 9.83-10 10-10.17 23.5-.16 13.5 9.84 23.5l95 94.34q10 10 23.33 10 13.33 0 23.33-10l179.34-179.34q10-10 9.5-23.33-.5-13.33-10.17-23.33-10-10-23.5-10.17-13.5-.17-23.5 9.83L437.33-454Z"></path></svg></span>Why it matters:</span><span>Ignoring server-side sanitizing allows attackers to inject harmful data directly to the backend.</span></div></div></div></div></div></article><article class="content-card dlm-card"><div class="code-articles-card-header"><span class="card-icon intro"><span class="new-material-symbols icon-hw-24"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 -960 960 960" fill="#3B82F6"><path d="M853.33-315.33V-562l-342 185q-15.33 8.67-32 8.33-16.66-.33-32-9L93.33-571q-9-5.33-12.83-12.67Q76.67-591 76.67-600q0-9 3.83-16.33 3.83-7.34 12.83-12.67l354-193.33q7.67-4.34 15.5-6.5 7.84-2.17 16.5-2.17 8.67 0 16.5 2.17 7.84 2.16 15.5 6.5l391 212.66q8.67 4.34 13.17 12.5Q920-589 920-580v264.67q0 14.33-9.5 23.83-9.5 9.5-23.83 9.5-14.34 0-23.84-9.5t-9.5-23.83Zm-406 177.66-220-120q-16-9-25.33-24.66-9.33-15.67-9.33-34.34v-166.66l254.66 139q15.34 8.66 32 8.66 16.67 0 32-8.66l254.67-139v166.66q0 18.67-9.33 34.34-9.34 15.66-25.34 24.66l-220 120q-7.66 4.34-15.5 6.5Q488-129 479.33-129q-8.66 0-16.5-2.17-7.83-2.16-15.5-6.5Z"></path></svg></span></span><span class="codefly-card-title">Expert Zone</span></div><div class="code-articles-card-body"><div class="dlm-expert-nuances"><div class="dlm-nuance-item"><div class="dlm-nuance-number">1</div><div class="dlm-nuance-text">Sanitizing can affect user experience by removing or altering input; balancing security and usability is a subtle art.</div></div><div class="dlm-nuance-item"><div class="dlm-nuance-number">2</div><div class="dlm-nuance-text">Some sanitizers allow configurable policies to permit safe HTML tags while blocking dangerous ones, requiring deep understanding of HTML and security.</div></div><div class="dlm-nuance-item"><div class="dlm-nuance-number">3</div><div class="dlm-nuance-text">Sanitizing performance matters in large apps; knowing when to sanitize once versus multiple times can optimize speed without losing safety.</div></div></div><div class="dlm-when-not"><div class="dlm-when-not-label"><span class="new-material-symbols icon-hw-20"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 -960 960 960" fill="#EF4444"><path d="m480-433.33 124.67 124.66Q614.33-299 628-299q13.67 0 23.33-9.67Q661-318.33 661-332q0-13.67-9.67-23.33L526.67-480l124.66-124.67Q661-614.33 661-628q0-13.67-9.67-23.33Q641.67-661 628-661q-13.67 0-23.33 9.67L480-526.67 355.33-651.33Q345.67-661 332-661q-13.67 0-23.33 9.67Q299-641.67 299-628q0 13.67 9.67 23.33L433.33-480 308.67-355.33Q299-345.67 299-332q0 13.67 9.67 23.33Q318.33-299 332-299q13.67 0 23.33-9.67L480-433.33ZM480-80q-82.33 0-155.33-31.5-73-31.5-127.34-85.83Q143-251.67 111.5-324.67T80-480q0-83 31.5-156t85.83-127q54.34-54 127.34-85.5T480-880q83 0 156 31.5T763-763q54 54 85.5 127T880-480q0 82.33-31.5 155.33-31.5 73-85.5 127.34Q709-143 636-111.5T480-80Z"></path></svg></span>When NOT to use</div><div>Sanitizing is not a substitute for validating input correctness or for escaping output in different contexts like URLs or SQL queries. Use validation libraries for rules and context-specific escaping for output. For example, use parameterized queries for databases instead of relying on sanitizing input.</div></div><div class="dlm-production"><div class="dlm-production-label"><span class="new-material-symbols icon-hw-20"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 -960 960 960" fill="#10B981"><path d="m422-395.33-94-94q-9.67-9.67-24-9.67t-24.67 10.33q-9.66 9.67-9.66 24 0 14.34 9.66 24l119.34 120q10 10 23.33 10 13.33 0 23.33-10L680-555.33q10.33-10.34 10.33-24.67 0-14.33-10.33-24.67-10.33-9.66-25-9.33-14.67.33-24.33 10L422-395.33ZM480-80q-82.33 0-155.33-31.5-73-31.5-127.34-85.83Q143-251.67 111.5-324.67T80-480q0-83 31.5-156t85.83-127q54.34-54 127.34-85.5T480-880q83 0 156 31.5T763-763q54 54 85.5 127T880-480q0 82.33-31.5 155.33-31.5 73-85.5 127.34Q709-143 636-111.5T480-80Z"></path></svg></span>Production Patterns</div><div>In production Vue apps, sanitizing is often combined with validation and escaping. Developers use libraries like DOMPurify in components and server code, sanitize input on form submission and before rendering with v-html, and integrate sanitizing in Vuex or Pinia stores to keep app state clean. Security audits include testing sanitizing effectiveness.</div></div></div></article><article class="content-card dlm-card"><div class="code-articles-card-header"><span class="card-icon intro"><span class="new-material-symbols icon-hw-24"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 -960 960 960" fill="#3B82F6"><path d="M602.67-120v-123.33h-156V-650H358v126.67H80V-840h278v123.33h244.67V-840H880v316.67H602.67V-650h-89.34v340h89.34v-126.67H880V-120H602.67Zm-456-653.33V-590v-183.33ZM669.33-370v183.33V-370Zm0-403.33V-590v-183.33Zm0 183.33h144v-183.33h-144V-590Zm0 403.33h144V-370h-144v183.33ZM146.67-590h144.66v-183.33H146.67V-590Z"></path></svg></span></span><span class="codefly-card-title">Connections</span></div><div class="code-articles-card-body"><div class="dlm-connections-list"><div class="dlm-connection-item"><div class="dlm-connection-to">Cross-Site Scripting (XSS)</div><div class="dlm-connection-rel">Sanitizing input is a primary defense against XSS attacks.</div><div class="dlm-connection-insight"><span class="dlm-insight-icon"><svg stroke="currentColor" fill="currentColor" stroke-width="0" viewBox="0 0 24 24" class="yellow-icon-color" height="22" width="22" xmlns="http://www.w3.org/2000/svg"><path d="M7.94101 18C7.64391 16.7274 6.30412 15.6857 5.75395 14.9992C4.65645 13.6297 4 11.8915 4 10C4 5.58172 7.58172 2 12 2C16.4183 2 20 5.58172 20 10C20 11.8925 19.3428 13.6315 18.2443 15.0014C17.6944 15.687 16.3558 16.7276 16.059 18H7.94101ZM16 20V21C16 22.1046 15.1046 23 14 23H10C8.89543 23 8 22.1046 8 21V20H16ZM13 10.0048V6L8.5 12.0048H11V16.0048L15.5 10.0048H13Z"></path></svg></span><span>Understanding sanitizing helps grasp how attackers exploit input to run harmful scripts and how to stop them.</span></div></div><div class="dlm-connection-item"><div class="dlm-connection-to">Data Validation</div><div class="dlm-connection-rel">Sanitizing complements validation by cleaning input after checking its correctness.</div><div class="dlm-connection-insight"><span class="dlm-insight-icon"><svg stroke="currentColor" fill="currentColor" stroke-width="0" viewBox="0 0 24 24" class="yellow-icon-color" height="22" width="22" xmlns="http://www.w3.org/2000/svg"><path d="M7.94101 18C7.64391 16.7274 6.30412 15.6857 5.75395 14.9992C4.65645 13.6297 4 11.8915 4 10C4 5.58172 7.58172 2 12 2C16.4183 2 20 5.58172 20 10C20 11.8925 19.3428 13.6315 18.2443 15.0014C17.6944 15.687 16.3558 16.7276 16.059 18H7.94101ZM16 20V21C16 22.1046 15.1046 23 14 23H10C8.89543 23 8 22.1046 8 21V20H16ZM13 10.0048V6L8.5 12.0048H11V16.0048L15.5 10.0048H13Z"></path></svg></span><span>Knowing the difference and connection between validation and sanitizing improves overall input handling.</span></div></div><div class="dlm-connection-item"><div class="dlm-connection-to">Water Filtration Systems</div><div class="dlm-connection-rel">Both filter out harmful elements from a raw source to make it safe for use.</div><div class="dlm-connection-insight"><span class="dlm-insight-icon"><svg stroke="currentColor" fill="currentColor" stroke-width="0" viewBox="0 0 24 24" class="yellow-icon-color" height="22" width="22" xmlns="http://www.w3.org/2000/svg"><path d="M7.94101 18C7.64391 16.7274 6.30412 15.6857 5.75395 14.9992C4.65645 13.6297 4 11.8915 4 10C4 5.58172 7.58172 2 12 2C16.4183 2 20 5.58172 20 10C20 11.8925 19.3428 13.6315 18.2443 15.0014C17.6944 15.687 16.3558 16.7276 16.059 18H7.94101ZM16 20V21C16 22.1046 15.1046 23 14 23H10C8.89543 23 8 22.1046 8 21V20H16ZM13 10.0048V6L8.5 12.0048H11V16.0048L15.5 10.0048H13Z"></path></svg></span><span>Seeing sanitizing as filtering helps appreciate the layered approach needed for safety.</span></div></div></div></div></article><article class="content-card dlm-card"><div class="code-articles-card-header"><span class="card-icon project"><span class="new-material-symbols icon-hw-24"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 -960 960 960" fill="#EF4444"><path d="m480-513.33 80.67 80.66Q570.33-423 584-423q13.67 0 23.33-9.67Q617-442.33 617-456q0-13.67-9.67-23.33L526.67-560l80.66-80.67Q617-650.33 617-664q0-13.67-9.67-23.33Q597.67-697 584-697q-13.67 0-23.33 9.67L480-606.67l-80.67-80.66Q389.67-697 376-697q-13.67 0-23.33 9.67Q343-677.67 343-664q0 13.67 9.67 23.33L433.33-560l-80.66 80.67Q343-469.67 343-456q0 13.67 9.67 23.33Q362.33-423 376-423q13.67 0 23.33-9.67L480-513.33ZM240-240 136.67-136.67Q121-121 100.5-129.6 80-138.21 80-160.33v-653q0-27 19.83-46.84Q119.67-880 146.67-880h666.66q27 0 46.84 19.83Q880-840.33 880-813.33v506.66q0 27-19.83 46.84Q840.33-240 813.33-240H240Zm-28.67-66.67h602v-506.66H146.67v575l64.66-68.34Zm-64.66 0v-506.66 506.66Z"></path></svg></span></span><span class="codefly-card-title">Common Pitfalls</span></div><div class="code-articles-card-body"><div class="dlm-pitfalls-list"><div class="dlm-pitfall-item"><div class="dlm-pitfall-header"><span class="dlm-pitfall-number">#1</span><span class="dlm-pitfall-title">Sanitizing input only when displaying it, not when storing or processing.</span></div><div class="dlm-pitfall-body"><div class="dlm-pitfall-wrong"><span class="dlm-pitfall-label"><span class="new-material-symbols icon-hw-20"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 -960 960 960" fill="#EF4444"><path d="m480-433.33 124.67 124.66Q614.33-299 628-299q13.67 0 23.33-9.67Q661-318.33 661-332q0-13.67-9.67-23.33L526.67-480l124.66-124.67Q661-614.33 661-628q0-13.67-9.67-23.33Q641.67-661 628-661q-13.67 0-23.33 9.67L480-526.67 355.33-651.33Q345.67-661 332-661q-13.67 0-23.33 9.67Q299-641.67 299-628q0 13.67 9.67 23.33L433.33-480 308.67-355.33Q299-345.67 299-332q0 13.67 9.67 23.33Q318.33-299 332-299q13.67 0 23.33-9.67L480-433.33ZM480-80q-82.33 0-155.33-31.5-73-31.5-127.34-85.83Q143-251.67 111.5-324.67T80-480q0-83 31.5-156t85.83-127q54.34-54 127.34-85.5T480-880q83 0 156 31.5T763-763q54 54 85.5 127T880-480q0 82.33-31.5 155.33-31.5 73-85.5 127.34Q709-143 636-111.5T480-80Z"></path></svg></span>Wrong approach:</span><span>const userInput = rawInput;
const safeOutput = DOMPurify.sanitize(userInput);
// Store rawInput in database
// Use rawInput in logic</span></div><div class="dlm-pitfall-right"><span class="dlm-pitfall-label"><span class="new-material-symbols icon-hw-20"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 -960 960 960" fill="#10B981"><path d="m422-395.33-94-94q-9.67-9.67-24-9.67t-24.67 10.33q-9.66 9.67-9.66 24 0 14.34 9.66 24l119.34 120q10 10 23.33 10 13.33 0 23.33-10L680-555.33q10.33-10.34 10.33-24.67 0-14.33-10.33-24.67-10.33-9.66-25-9.33-14.67.33-24.33 10L422-395.33ZM480-80q-82.33 0-155.33-31.5-73-31.5-127.34-85.83Q143-251.67 111.5-324.67T80-480q0-83 31.5-156t85.83-127q54.34-54 127.34-85.5T480-880q83 0 156 31.5T763-763q54 54 85.5 127T880-480q0 82.33-31.5 155.33-31.5 73-85.5 127.34Q709-143 636-111.5T480-80Z"></path></svg></span>Correct approach:</span><span>const safeInput = DOMPurify.sanitize(rawInput);
// Store safeInput in database
// Use safeInput in logic and display</span></div><div class="dlm-pitfall-root"><span class="dlm-pitfall-label"><span class="new-material-symbols icon-hw-20"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 -960 960 960" fill="#3B82F6"><path d="M400-320q100 0 170-70t70-170q0-100-70-170t-170-70q-100 0-170 70t-70 170q0 100 70 170t170 70Zm-28.5-131.5Q360-463 360-480v-200q0-17 11.5-28.5T400-720q17 0 28.5 11.5T440-680v200q0 17-11.5 28.5T400-440q-17 0-28.5-11.5Zm-140 0Q220-463 220-480v-120q0-17 11.5-28.5T260-640q17 0 28.5 11.5T300-600v120q0 17-11.5 28.5T260-440q-17 0-28.5-11.5Zm280 0Q500-463 500-480v-80q0-17 11.5-28.5T540-600q17 0 28.5 11.5T580-560v80q0 17-11.5 28.5T540-440q-17 0-28.5-11.5ZM400-240q-134 0-227-93T80-560q0-134 93-227t227-93q134 0 227 93t93 227q0 56-17.5 106T653-363l199 199q11 11 11 28t-11 28q-11 11-28 11t-28-11L597-307q-41 32-91 49.5T400-240Z"></path></svg></span>Root cause:</span><span>Believing sanitizing is only needed before showing data, ignoring risks during storage or processing.</span></div></div></div><div class="dlm-pitfall-item"><div class="dlm-pitfall-header"><span class="dlm-pitfall-number">#2</span><span class="dlm-pitfall-title">Using v-html with unsanitized user input directly in Vue templates.</span></div><div class="dlm-pitfall-body"><div class="dlm-pitfall-wrong"><span class="dlm-pitfall-label"><span class="new-material-symbols icon-hw-20"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 -960 960 960" fill="#EF4444"><path d="m480-433.33 124.67 124.66Q614.33-299 628-299q13.67 0 23.33-9.67Q661-318.33 661-332q0-13.67-9.67-23.33L526.67-480l124.66-124.67Q661-614.33 661-628q0-13.67-9.67-23.33Q641.67-661 628-661q-13.67 0-23.33 9.67L480-526.67 355.33-651.33Q345.67-661 332-661q-13.67 0-23.33 9.67Q299-641.67 299-628q0 13.67 9.67 23.33L433.33-480 308.67-355.33Q299-345.67 299-332q0 13.67 9.67 23.33Q318.33-299 332-299q13.67 0 23.33-9.67L480-433.33ZM480-80q-82.33 0-155.33-31.5-73-31.5-127.34-85.83Q143-251.67 111.5-324.67T80-480q0-83 31.5-156t85.83-127q54.34-54 127.34-85.5T480-880q83 0 156 31.5T763-763q54 54 85.5 127T880-480q0 82.33-31.5 155.33-31.5 73-85.5 127.34Q709-143 636-111.5T480-80Z"></path></svg></span>Wrong approach:</span><span><div v-html="userInput"></div> </span></div><div class="dlm-pitfall-right"><span class="dlm-pitfall-label"><span class="new-material-symbols icon-hw-20"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 -960 960 960" fill="#10B981"><path d="m422-395.33-94-94q-9.67-9.67-24-9.67t-24.67 10.33q-9.66 9.67-9.66 24 0 14.34 9.66 24l119.34 120q10 10 23.33 10 13.33 0 23.33-10L680-555.33q10.33-10.34 10.33-24.67 0-14.33-10.33-24.67-10.33-9.66-25-9.33-14.67.33-24.33 10L422-395.33ZM480-80q-82.33 0-155.33-31.5-73-31.5-127.34-85.83Q143-251.67 111.5-324.67T80-480q0-83 31.5-156t85.83-127q54.34-54 127.34-85.5T480-880q83 0 156 31.5T763-763q54 54 85.5 127T880-480q0 82.33-31.5 155.33-31.5 73-85.5 127.34Q709-143 636-111.5T480-80Z"></path></svg></span>Correct approach:</span><span>import DOMPurify from 'dompurify';
const safeInput = DOMPurify.sanitize(userInput);
<div v-html="safeInput"></div></span></div><div class="dlm-pitfall-root"><span class="dlm-pitfall-label"><span class="new-material-symbols icon-hw-20"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 -960 960 960" fill="#3B82F6"><path d="M400-320q100 0 170-70t70-170q0-100-70-170t-170-70q-100 0-170 70t-70 170q0 100 70 170t170 70Zm-28.5-131.5Q360-463 360-480v-200q0-17 11.5-28.5T400-720q17 0 28.5 11.5T440-680v200q0 17-11.5 28.5T400-440q-17 0-28.5-11.5Zm-140 0Q220-463 220-480v-120q0-17 11.5-28.5T260-640q17 0 28.5 11.5T300-600v120q0 17-11.5 28.5T260-440q-17 0-28.5-11.5Zm280 0Q500-463 500-480v-80q0-17 11.5-28.5T540-600q17 0 28.5 11.5T580-560v80q0 17-11.5 28.5T540-440q-17 0-28.5-11.5ZM400-240q-134 0-227-93T80-560q0-134 93-227t227-93q134 0 227 93t93 227q0 56-17.5 106T653-363l199 199q11 11 11 28t-11 28q-11 11-28 11t-28-11L597-307q-41 32-91 49.5T400-240Z"></path></svg></span>Root cause:</span><span>Not understanding that v-html renders raw HTML and can execute scripts if input is unsafe.</span></div></div></div><div class="dlm-pitfall-item"><div class="dlm-pitfall-header"><span class="dlm-pitfall-number">#3</span><span class="dlm-pitfall-title">Writing a simple replace to remove < and > but missing other dangerous input forms.</span></div><div class="dlm-pitfall-body"><div class="dlm-pitfall-wrong"><span class="dlm-pitfall-label"><span class="new-material-symbols icon-hw-20"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 -960 960 960" fill="#EF4444"><path d="m480-433.33 124.67 124.66Q614.33-299 628-299q13.67 0 23.33-9.67Q661-318.33 661-332q0-13.67-9.67-23.33L526.67-480l124.66-124.67Q661-614.33 661-628q0-13.67-9.67-23.33Q641.67-661 628-661q-13.67 0-23.33 9.67L480-526.67 355.33-651.33Q345.67-661 332-661q-13.67 0-23.33 9.67Q299-641.67 299-628q0 13.67 9.67 23.33L433.33-480 308.67-355.33Q299-345.67 299-332q0 13.67 9.67 23.33Q318.33-299 332-299q13.67 0 23.33-9.67L480-433.33ZM480-80q-82.33 0-155.33-31.5-73-31.5-127.34-85.83Q143-251.67 111.5-324.67T80-480q0-83 31.5-156t85.83-127q54.34-54 127.34-85.5T480-880q83 0 156 31.5T763-763q54 54 85.5 127T880-480q0 82.33-31.5 155.33-31.5 73-85.5 127.34Q709-143 636-111.5T480-80Z"></path></svg></span>Wrong approach:</span><span>const safeInput = userInput.replace(/</g, '').replace(/>/g, '');</span></div><div class="dlm-pitfall-right"><span class="dlm-pitfall-label"><span class="new-material-symbols icon-hw-20"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 -960 960 960" fill="#10B981"><path d="m422-395.33-94-94q-9.67-9.67-24-9.67t-24.67 10.33q-9.66 9.67-9.66 24 0 14.34 9.66 24l119.34 120q10 10 23.33 10 13.33 0 23.33-10L680-555.33q10.33-10.34 10.33-24.67 0-14.33-10.33-24.67-10.33-9.66-25-9.33-14.67.33-24.33 10L422-395.33ZM480-80q-82.33 0-155.33-31.5-73-31.5-127.34-85.83Q143-251.67 111.5-324.67T80-480q0-83 31.5-156t85.83-127q54.34-54 127.34-85.5T480-880q83 0 156 31.5T763-763q54 54 85.5 127T880-480q0 82.33-31.5 155.33-31.5 73-85.5 127.34Q709-143 636-111.5T480-80Z"></path></svg></span>Correct approach:</span><span>import DOMPurify from 'dompurify';
const safeInput = DOMPurify.sanitize(userInput);</span></div><div class="dlm-pitfall-root"><span class="dlm-pitfall-label"><span class="new-material-symbols icon-hw-20"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 -960 960 960" fill="#3B82F6"><path d="M400-320q100 0 170-70t70-170q0-100-70-170t-170-70q-100 0-170 70t-70 170q0 100 70 170t170 70Zm-28.5-131.5Q360-463 360-480v-200q0-17 11.5-28.5T400-720q17 0 28.5 11.5T440-680v200q0 17-11.5 28.5T400-440q-17 0-28.5-11.5Zm-140 0Q220-463 220-480v-120q0-17 11.5-28.5T260-640q17 0 28.5 11.5T300-600v120q0 17-11.5 28.5T260-440q-17 0-28.5-11.5Zm280 0Q500-463 500-480v-80q0-17 11.5-28.5T540-600q17 0 28.5 11.5T580-560v80q0 17-11.5 28.5T540-440q-17 0-28.5-11.5ZM400-240q-134 0-227-93T80-560q0-134 93-227t227-93q134 0 227 93t93 227q0 56-17.5 106T653-363l199 199q11 11 11 28t-11 28q-11 11-28 11t-28-11L597-307q-41 32-91 49.5T400-240Z"></path></svg></span>Root cause:</span><span>Underestimating the complexity of input attacks and over-simplifying sanitizing.</span></div></div></div></div></div></article><article class="content-card dlm-card"><div class="code-articles-card-header"><span class="card-icon summary"><span class="new-material-symbols icon-hw-24"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 -960 960 960" fill="#10B981"><path d="M186.67-120q-27.5 0-47.09-19.58Q120-159.17 120-186.67v-586.66q0-27.5 19.58-47.09Q159.17-840 186.67-840h192.66q7.67-35.33 35.84-57.67Q443.33-920 480-920t64.83 22.33Q573-875.33 580.67-840h192.66q27.5 0 47.09 19.58Q840-800.83 840-773.33v586.66q0 27.5-19.58 47.09Q800.83-120 773.33-120H186.67Zm0-66.67h586.66v-586.66H186.67v586.66ZM313.33-280H522q14.17 0 23.75-9.62 9.58-9.61 9.58-23.83 0-14.22-9.58-23.72-9.58-9.5-23.75-9.5H313.33q-14.16 0-23.75 9.62-9.58 9.62-9.58 23.83 0 14.22 9.58 23.72 9.59 9.5 23.75 9.5Zm0-166.67h333.34q14.16 0 23.75-9.61 9.58-9.62 9.58-23.84 0-14.21-9.58-23.71-9.59-9.5-23.75-9.5H313.33q-14.16 0-23.75 9.61-9.58 9.62-9.58 23.84 0 14.21 9.58 23.71 9.59 9.5 23.75 9.5Zm0-166.66h333.34q14.16 0 23.75-9.62 9.58-9.62 9.58-23.83 0-14.22-9.58-23.72-9.59-9.5-23.75-9.5H313.33q-14.16 0-23.75 9.62-9.58 9.61-9.58 23.83 0 14.22 9.58 23.72 9.59 9.5 23.75 9.5ZM503.5-804.5q9.83-9.83 9.83-23.5t-9.83-23.5q-9.83-9.83-23.5-9.83t-23.5 9.83q-9.83 9.83-9.83 23.5t9.83 23.5q9.83 9.83 23.5 9.83t23.5-9.83ZM186.67-186.67v-586.66 586.66Z"></path></svg></span></span><span class="codefly-card-title">Key Takeaways</span></div><div class="code-articles-card-body"><div class="summary-list"><div class="summary-item"><span class="new-material-symbols icon-hw-26"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 -960 960 960" fill="#10B981"><path d="m422-395.33-94-94q-9.67-9.67-24-9.67t-24.67 10.33q-9.66 9.67-9.66 24 0 14.34 9.66 24l119.34 120q10 10 23.33 10 13.33 0 23.33-10L680-555.33q10.33-10.34 10.33-24.67 0-14.33-10.33-24.67-10.33-9.66-25-9.33-14.67.33-24.33 10L422-395.33ZM480-80q-82.33 0-155.33-31.5-73-31.5-127.34-85.83Q143-251.67 111.5-324.67T80-480q0-83 31.5-156t85.83-127q54.34-54 127.34-85.5T480-880q83 0 156 31.5T763-763q54 54 85.5 127T880-480q0 82.33-31.5 155.33-31.5 73-85.5 127.34Q709-143 636-111.5T480-80Z"></path></svg></span><span class="summary-text">Sanitizing user input cleans harmful parts to keep your Vue app safe from attacks and bugs.</span></div><div class="summary-item"><span class="new-material-symbols icon-hw-26"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 -960 960 960" fill="#10B981"><path d="m422-395.33-94-94q-9.67-9.67-24-9.67t-24.67 10.33q-9.66 9.67-9.66 24 0 14.34 9.66 24l119.34 120q10 10 23.33 10 13.33 0 23.33-10L680-555.33q10.33-10.34 10.33-24.67 0-14.33-10.33-24.67-10.33-9.66-25-9.33-14.67.33-24.33 10L422-395.33ZM480-80q-82.33 0-155.33-31.5-73-31.5-127.34-85.83Q143-251.67 111.5-324.67T80-480q0-83 31.5-156t85.83-127q54.34-54 127.34-85.5T480-880q83 0 156 31.5T763-763q54 54 85.5 127T880-480q0 82.33-31.5 155.33-31.5 73-85.5 127.34Q709-143 636-111.5T480-80Z"></path></svg></span><span class="summary-text">Always sanitize input before using it in your app, especially before rendering with v-html or storing it.</span></div><div class="summary-item"><span class="new-material-symbols icon-hw-26"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 -960 960 960" fill="#10B981"><path d="m422-395.33-94-94q-9.67-9.67-24-9.67t-24.67 10.33q-9.66 9.67-9.66 24 0 14.34 9.66 24l119.34 120q10 10 23.33 10 13.33 0 23.33-10L680-555.33q10.33-10.34 10.33-24.67 0-14.33-10.33-24.67-10.33-9.66-25-9.33-14.67.33-24.33 10L422-395.33ZM480-80q-82.33 0-155.33-31.5-73-31.5-127.34-85.83Q143-251.67 111.5-324.67T80-480q0-83 31.5-156t85.83-127q54.34-54 127.34-85.5T480-880q83 0 156 31.5T763-763q54 54 85.5 127T880-480q0 82.33-31.5 155.33-31.5 73-85.5 127.34Q709-143 636-111.5T480-80Z"></path></svg></span><span class="summary-text">Use trusted libraries like DOMPurify for robust sanitizing instead of writing your own from scratch.</span></div><div class="summary-item"><span class="new-material-symbols icon-hw-26"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 -960 960 960" fill="#10B981"><path d="m422-395.33-94-94q-9.67-9.67-24-9.67t-24.67 10.33q-9.66 9.67-9.66 24 0 14.34 9.66 24l119.34 120q10 10 23.33 10 13.33 0 23.33-10L680-555.33q10.33-10.34 10.33-24.67 0-14.33-10.33-24.67-10.33-9.66-25-9.33-14.67.33-24.33 10L422-395.33ZM480-80q-82.33 0-155.33-31.5-73-31.5-127.34-85.83Q143-251.67 111.5-324.67T80-480q0-83 31.5-156t85.83-127q54.34-54 127.34-85.5T480-880q83 0 156 31.5T763-763q54 54 85.5 127T880-480q0 82.33-31.5 155.33-31.5 73-85.5 127.34Q709-143 636-111.5T480-80Z"></path></svg></span><span class="summary-text">Sanitizing complements validation and escaping but does not replace them; each has its role in security.</span></div><div class="summary-item"><span class="new-material-symbols icon-hw-26"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 -960 960 960" fill="#10B981"><path d="m422-395.33-94-94q-9.67-9.67-24-9.67t-24.67 10.33q-9.66 9.67-9.66 24 0 14.34 9.66 24l119.34 120q10 10 23.33 10 13.33 0 23.33-10L680-555.33q10.33-10.34 10.33-24.67 0-14.33-10.33-24.67-10.33-9.66-25-9.33-14.67.33-24.33 10L422-395.33ZM480-80q-82.33 0-155.33-31.5-73-31.5-127.34-85.83Q143-251.67 111.5-324.67T80-480q0-83 31.5-156t85.83-127q54.34-54 127.34-85.5T480-880q83 0 156 31.5T763-763q54 54 85.5 127T880-480q0 82.33-31.5 155.33-31.5 73-85.5 127.34Q709-143 636-111.5T480-80Z"></path></svg></span><span class="summary-text">Sanitizing must happen both on client and server sides, especially in apps using server-side rendering.</span></div></div></div></article></div></div></main><div style="position:fixed;bottom:24px;right:24px;z-index:50"><button style="background:rgba(255,255,255,0.95);border:1px solid rgba(108,99,255,0.18);border-radius:10px;padding:10px 16px;color:#5f56fe;font-size:14px;cursor:pointer;display:flex;align-items:center;gap:7px;backdrop-filter:blur(12px);box-shadow:0 2px 12px rgba(0,0,0,0.08), 0 0 0 1px rgba(108,99,255,0.06);transition:all 0.2s"><span style="font-size:14px">⚑</span>Report Issue</button></div></div> <script src="/_next/static/chunks/webpack-2e3c5ba73ff1ab77.js" async=""></script><script>(self.__next_f=self.__next_f||[]).push([0]);self.__next_f.push([2,null])</script><script>self.__next_f.push([1,"1:HL[\"/_next/static/css/8ff565d232e65bc7.css\",\"style\"]\n2:HL[\"/_next/static/css/bb5e1ea3ca137310.css\",\"style\"]\n3:HL[\"/_next/static/css/725c7861d1898ba8.css\",\"style\"]\n4:HL[\"/_next/static/css/7c88bf9c8c009fa7.css\",\"style\"]\n"])</script><script>self.__next_f.push([1,"5:I[95751,[],\"\"]\n8:I[39275,[],\"\"]\ne:I[61343,[],\"\"]\nf:I[84080,[\"3004\",\"static/chunks/3004-3bfc0411eae77264.js\",\"3185\",\"static/chunks/app/layout-f58283544057195f.js\"],\"\"]\n10:I[88726,[\"3004\",\"static/chunks/3004-3bfc0411eae77264.js\",\"3185\",\"static/chunks/app/layout-f58283544057195f.js\"],\"Toaster\"]\n11:I[20154,[\"8422\",\"static/chunks/66ec4792-a0fc378024be0c7b.js\",\"6648\",\"static/chunks/6648-fff0cf0e0a1f8d25.js\",\"9160\",\"static/chunks/app/not-found-2156b996624c88a0.js\"],\"default\"]\n12:I[70548,[\"3004\",\"static/chunks/3004-3bfc0411eae77264.js\",\"3185\",\"static/chunks/app/layout-f58283544057195f.js\"],\"default\"]\n14:I[76130,[],\"\"]\n9:[\"lang\",\"en\",\"d\"]\na:[\"subject\",\"vue\",\"d\"]\nb:[\"part\",\"part-3\",\"d\"]\nc:[\"pattern\",\"vue-sanitizing-user-input\",\"d\"]\nd:[\"mode\",\"deep\",\"oc\"]\n15:[]\n"])</script><script>self.__next_f.push([1,"0:[[[\"$\",\"link\",\"0\",{\"rel\":\"stylesheet\",\"href\":\"/_next/static/css/8ff565d232e65bc7.css\",\"precedence\":\"next\",\"crossOrigin\":\"$undefined\"}]],[\"$\",\"$L5\",null,{\"buildId\":\"J2rH1P74D20VnOd-Rggao\",\"assetPrefix\":\"\",\"initialCanonicalUrl\":\"/en/codefly/learn/vue/part-3/vue-sanitizing-user-input/deep\",\"initialTree\":[\"\",{\"children\":[[\"lang\",\"en\",\"d\"],{\"children\":[\"codefly\",{\"children\":[\"learn\",{\"children\":[[\"subject\",\"vue\",\"d\"],{\"children\":[[\"part\",\"part-3\",\"d\"],{\"children\":[[\"pattern\",\"vue-sanitizing-user-input\",\"d\"],{\"children\":[[\"mode\",\"deep\",\"oc\"],{\"children\":[\"__PAGE__\",{}]}]}]}]}]}]}]}]},\"$undefined\",\"$undefined\",true],\"initialSeedData\":[\"\",{\"children\":[[\"lang\",\"en\",\"d\"],{\"children\":[\"codefly\",{\"children\":[\"learn\",{\"children\":[[\"subject\",\"vue\",\"d\"],{\"children\":[[\"part\",\"part-3\",\"d\"],{\"children\":[[\"pattern\",\"vue-sanitizing-user-input\",\"d\"],{\"children\":[[\"mode\",\"deep\",\"oc\"],{\"children\":[\"__PAGE__\",{},[[\"$L6\",\"$L7\"],null],null]},[\"$\",\"$L8\",null,{\"parallelRouterKey\":\"children\",\"segmentPath\":[\"children\",\"$9\",\"children\",\"codefly\",\"children\",\"learn\",\"children\",\"$a\",\"children\",\"$b\",\"children\",\"$c\",\"children\",\"$d\",\"children\"],\"error\":\"$undefined\",\"errorStyles\":\"$undefined\",\"errorScripts\":\"$undefined\",\"template\":[\"$\",\"$Le\",null,{}],\"templateStyles\":\"$undefined\",\"templateScripts\":\"$undefined\",\"notFound\":\"$undefined\",\"notFoundStyles\":\"$undefined\",\"styles\":[[\"$\",\"link\",\"0\",{\"rel\":\"stylesheet\",\"href\":\"/_next/static/css/bb5e1ea3ca137310.css\",\"precedence\":\"next\",\"crossOrigin\":\"$undefined\"}],[\"$\",\"link\",\"1\",{\"rel\":\"stylesheet\",\"href\":\"/_next/static/css/725c7861d1898ba8.css\",\"precedence\":\"next\",\"crossOrigin\":\"$undefined\"}],[\"$\",\"link\",\"2\",{\"rel\":\"stylesheet\",\"href\":\"/_next/static/css/7c88bf9c8c009fa7.css\",\"precedence\":\"next\",\"crossOrigin\":\"$undefined\"}]]}],null]},[\"$\",\"$L8\",null,{\"parallelRouterKey\":\"children\",\"segmentPath\":[\"children\",\"$9\",\"children\",\"codefly\",\"children\",\"learn\",\"children\",\"$a\",\"children\",\"$b\",\"children\",\"$c\",\"children\"],\"error\":\"$undefined\",\"errorStyles\":\"$undefined\",\"errorScripts\":\"$undefined\",\"template\":[\"$\",\"$Le\",null,{}],\"templateStyles\":\"$undefined\",\"templateScripts\":\"$undefined\",\"notFound\":\"$undefined\",\"notFoundStyles\":\"$undefined\",\"styles\":null}],null]},[\"$\",\"$L8\",null,{\"parallelRouterKey\":\"children\",\"segmentPath\":[\"children\",\"$9\",\"children\",\"codefly\",\"children\",\"learn\",\"children\",\"$a\",\"children\",\"$b\",\"children\"],\"error\":\"$undefined\",\"errorStyles\":\"$undefined\",\"errorScripts\":\"$undefined\",\"template\":[\"$\",\"$Le\",null,{}],\"templateStyles\":\"$undefined\",\"templateScripts\":\"$undefined\",\"notFound\":\"$undefined\",\"notFoundStyles\":\"$undefined\",\"styles\":null}],null]},[\"$\",\"$L8\",null,{\"parallelRouterKey\":\"children\",\"segmentPath\":[\"children\",\"$9\",\"children\",\"codefly\",\"children\",\"learn\",\"children\",\"$a\",\"children\"],\"error\":\"$undefined\",\"errorStyles\":\"$undefined\",\"errorScripts\":\"$undefined\",\"template\":[\"$\",\"$Le\",null,{}],\"templateStyles\":\"$undefined\",\"templateScripts\":\"$undefined\",\"notFound\":\"$undefined\",\"notFoundStyles\":\"$undefined\",\"styles\":null}],null]},[\"$\",\"$L8\",null,{\"parallelRouterKey\":\"children\",\"segmentPath\":[\"children\",\"$9\",\"children\",\"codefly\",\"children\",\"learn\",\"children\"],\"error\":\"$undefined\",\"errorStyles\":\"$undefined\",\"errorScripts\":\"$undefined\",\"template\":[\"$\",\"$Le\",null,{}],\"templateStyles\":\"$undefined\",\"templateScripts\":\"$undefined\",\"notFound\":\"$undefined\",\"notFoundStyles\":\"$undefined\",\"styles\":null}],null]},[\"$\",\"$L8\",null,{\"parallelRouterKey\":\"children\",\"segmentPath\":[\"children\",\"$9\",\"children\",\"codefly\",\"children\"],\"error\":\"$undefined\",\"errorStyles\":\"$undefined\",\"errorScripts\":\"$undefined\",\"template\":[\"$\",\"$Le\",null,{}],\"templateStyles\":\"$undefined\",\"templateScripts\":\"$undefined\",\"notFound\":\"$undefined\",\"notFoundStyles\":\"$undefined\",\"styles\":null}],null]},[\"$\",\"$L8\",null,{\"parallelRouterKey\":\"children\",\"segmentPath\":[\"children\",\"$9\",\"children\"],\"error\":\"$undefined\",\"errorStyles\":\"$undefined\",\"errorScripts\":\"$undefined\",\"template\":[\"$\",\"$Le\",null,{}],\"templateStyles\":\"$undefined\",\"templateScripts\":\"$undefined\",\"notFound\":\"$undefined\",\"notFoundStyles\":\"$undefined\",\"styles\":null}],null]},[[\"$\",\"html\",null,{\"lang\":\"en\",\"children\":[[\"$\",\"head\",null,{\"children\":[[\"$\",\"meta\",null,{\"name\":\"theme-color\",\"content\":\"#5f56fe\"}],[\"$\",\"meta\",null,{\"name\":\"msapplication-TileColor\",\"content\":\"#5f56fe\"}],[\"$\",\"$Lf\",null,{\"src\":\"https://www.googletagmanager.com/gtag/js?id=G-N2NY2DMMDW\",\"strategy\":\"afterInteractive\"}],[\"$\",\"$Lf\",null,{\"id\":\"google-analytics\",\"strategy\":\"afterInteractive\",\"children\":\"\\n            window.dataLayer = window.dataLayer || [];\\n            function gtag(){dataLayer.push(arguments);}\\n            gtag('js', new Date());\\n            gtag('config', 'G-N2NY2DMMDW', {\\n              page_path: window.location.pathname,\\n            });\\n          \"}],[\"$\",\"script\",null,{\"async\":true,\"src\":\"https://www.googletagmanager.com/gtag/js?id=AW-17928224938\"}],[\"$\",\"$Lf\",null,{\"children\":\"\\n            window.dataLayer = window.dataLayer || [];\\n            function gtag() {\\n              dataLayer.push(arguments);\\n            }\\n            gtag('js', new Date());\\n            gtag('config', 'AW-17928224938');\\n          \"}],[\"$\",\"script\",null,{\"data-grow-initializer\":\"\",\"suppressHydrationWarning\":true,\"dangerouslySetInnerHTML\":{\"__html\":\"!(function(){window.growMe||((window.growMe=function(e){window.growMe._.push(e);}),(window.growMe._=[]));var e=document.createElement(\\\"script\\\");(e.type=\\\"text/javascript\\\"),(e.src=\\\"https://faves.grow.me/main.js\\\"),(e.defer=!0),e.setAttribute(\\\"data-grow-faves-site-id\\\",\\\"U2l0ZTo0MGIxZDBlZC0wNzdlLTQ0NjgtOThmOC1kNDYyZGMwM2IwMWY=\\\");var t=document.getElementsByTagName(\\\"script\\\")[0];t.parentNode.insertBefore(e,t);})();\"}}],[\"$\",\"$Lf\",null,{\"src\":\"//scripts.scriptwrapper.com/tags/40b1d0ed-077e-4468-98f8-d462dc03b01f.js\",\"strategy\":\"afterInteractive\",\"data-noptimize\":\"1\",\"data-cfasync\":\"false\"}],[\"$\",\"script\",null,{\"type\":\"application/ld+json\",\"suppressHydrationWarning\":true,\"dangerouslySetInnerHTML\":{\"__html\":\"{\\\"@context\\\":\\\"https://schema.org\\\",\\\"@type\\\":\\\"WebApplication\\\",\\\"name\\\":\\\"Leyaa.ai\\\",\\\"description\\\":\\\"Leyaa.ai builds learning intelligence that understands how you learn - guiding what to study, how to practice, and when to move forward.\\\",\\\"url\\\":\\\"https://leyaa.ai\\\",\\\"applicationCategory\\\":\\\"EducationalApplication\\\",\\\"operatingSystem\\\":\\\"Web\\\",\\\"offers\\\":{\\\"@type\\\":\\\"Offer\\\",\\\"price\\\":\\\"0\\\",\\\"priceCurrency\\\":\\\"USD\\\"},\\\"creator\\\":{\\\"@type\\\":\\\"Organization\\\",\\\"name\\\":\\\"Leyaa.ai\\\"}}\"}}],[\"$\",\"link\",null,{\"href\":\"https://cdn.jsdelivr.net/npm/bootstrap@5.3.8/dist/css/bootstrap.min.css\",\"rel\":\"stylesheet\",\"integrity\":\"sha384-sRIl4kxILFvY47J16cr9ZwB07vP4J8+LH7qKQnuqkuIAvNWLzeN8tE5YBujZqJLB\",\"crossOrigin\":\"anonymous\"}],[\"$\",\"$Lf\",null,{\"id\":\"clarity-script\",\"strategy\":\"afterInteractive\",\"dangerouslySetInnerHTML\":{\"__html\":\"\\n              (function(c,l,a,r,i,t,y){\\n                c[a]=c[a]||function(){(c[a].q=c[a].q||[]).push(arguments)};\\n                t=l.createElement(r);t.async=1;t.src=\\\"https://www.clarity.ms/tag/\\\"+i;\\n                y=l.getElementsByTagName(r)[0];y.parentNode.insertBefore(t,y);\\n              })(window, document, \\\"clarity\\\", \\\"script\\\", \\\"w4gxh6rdmh\\\");\\n            \"}}]]}],[\"$\",\"body\",null,{\"children\":[[\"$\",\"$L10\",null,{\"containerStyle\":{\"top\":70}}],[\"$\",\"div\",null,{\"className\":\"bg-grid\"}],[\"$\",\"$L8\",null,{\"parallelRouterKey\":\"children\",\"segmentPath\":[\"children\"],\"error\":\"$undefined\",\"errorStyles\":\"$undefined\",\"errorScripts\":\"$undefined\",\"template\":[\"$\",\"$Le\",null,{}],\"templateStyles\":\"$undefined\",\"templateScripts\":\"$undefined\",\"notFound\":[\"$\",\"$L11\",null,{}],\"notFoundStyles\":[[\"$\",\"link\",\"0\",{\"rel\":\"stylesheet\",\"href\":\"/_next/static/css/360a7cb17c5c1447.css\",\"precedence\":\"next\",\"crossOrigin\":\"$undefined\"}]],\"styles\":null}],[\"$\",\"$L12\",null,{}],\" \"]}]]}],null],null],\"couldBeIntercepted\":false,\"initialHead\":[false,\"$L13\"],\"globalErrorComponent\":\"$14\",\"missingSlots\":\"$W15\"}]]\n"])</script><script>self.__next_f.push([1,"16:I[51766,[\"8422\",\"static/chunks/66ec4792-a0fc378024be0c7b.js\",\"522\",\"static/chunks/94730671-fd9628eddbd5107b.js\",\"7240\",\"static/chunks/53c13509-19bae2f18575f9da.js\",\"7699\",\"static/chunks/8e1d74a4-a085c2fbc868135a.js\",\"5706\",\"static/chunks/9c4e2130-11ecd4bfc78e4568.js\",\"1779\",\"static/chunks/0e762574-451a0d3d25e1d222.js\",\"6648\",\"static/chunks/6648-fff0cf0e0a1f8d25.js\",\"3463\",\"static/chunks/3463-f6543702aef8b413.js\",\"4889\",\"static/chunks/4889-956a916919971629.js\",\"9985\",\"static/chunks/9985-b39235669d2563e2.js\",\"4481\",\"static/chunks/4481-d51fdda1389e5180.js\",\"7627\",\"static/chunks/7627-45a0cc811fb0bb9b.js\",\"4460\",\"static/chunks/4460-3a42c2a5c43cff06.js\",\"8150\",\"static/chunks/8150-537ae65b404d5015.js\",\"7029\",\"static/chunks/app/%5Blang%5D/codefly/learn/%5Bsubject%5D/%5Bpart%5D/%5Bpattern%5D/%5B%5B...mode%5D%5D/page-52f74c4c7ede42fd.js\"],\"default\"]\n"])</script><script>self.__next_f.push([1,"7:[[[\"$\",\"script\",\"0\",{\"type\":\"application/ld+json\",\"dangerouslySetInnerHTML\":{\"__html\":\"{\\\"@context\\\":\\\"https://schema.org\\\",\\\"@type\\\":\\\"LearningResource\\\",\\\"name\\\":\\\"Sanitizing user input in Vue - Deep Dive\\\",\\\"description\\\":\\\"Go deep on Sanitizing user input in Vue. Internals, mental models, under-the-hood mechanics, misconceptions, common pitfalls, and production patterns. For serious learners.\\\",\\\"url\\\":\\\"https://leyaa.ai/codefly/learn/vue/part-3/vue-sanitizing-user-input\\\",\\\"learningResourceType\\\":\\\"Tutorial\\\",\\\"programmingLanguage\\\":\\\"Vue\\\",\\\"inLanguage\\\":\\\"en\\\",\\\"isAccessibleForFree\\\":true,\\\"teaches\\\":\\\"Sanitizing user input in Vue - Deep Dive\\\",\\\"provider\\\":{\\\"@type\\\":\\\"Organization\\\",\\\"url\\\":\\\"https://leyaa.ai\\\"},\\\"educationalLevel\\\":\\\"Beginner to Advanced\\\",\\\"breadcrumb\\\":{\\\"@type\\\":\\\"BreadcrumbList\\\",\\\"itemListElement\\\":[{\\\"@type\\\":\\\"ListItem\\\",\\\"position\\\":1,\\\"name\\\":\\\"Home\\\",\\\"item\\\":\\\"https://leyaa.ai\\\"},{\\\"@type\\\":\\\"ListItem\\\",\\\"position\\\":2,\\\"name\\\":\\\"Sanitizing user input in Vue - Deep Dive\\\",\\\"item\\\":\\\"https://leyaa.ai/codefly/learn/vue/part-3/vue-sanitizing-user-input\\\"}]}}\"}}]],[\"$\",\"$L16\",null,{\"subject\":\"vue\",\"dbSubject\":\"vue\",\"part\":\"part-3\",\"pattern\":\"vue_sanitizing_user_input\",\"modeSlug\":\"deep\",\"lang\":\"en\",\"internalLinks\":[{\"code\":\"LMC\",\"slug\":\"\",\"label\":\"📖 Learn\",\"href\":\"/codefly/learn/vue/part-3/vue-sanitizing-user-input\",\"active\":false},{\"code\":\"LMCWHY\",\"slug\":\"why\",\"label\":\"💡 Why Learn This\",\"href\":\"/codefly/learn/vue/part-3/vue-sanitizing-user-input/why\",\"active\":false},{\"code\":\"DLM\",\"slug\":\"deep\",\"label\":\"💡 Deep Learn Mode\",\"href\":\"/codefly/learn/vue/part-3/vue-sanitizing-user-input/deep\",\"active\":true},{\"code\":\"TMC\",\"slug\":\"try\",\"label\":\"✏️ Try It\",\"href\":\"/codefly/learn/vue/part-3/vue-sanitizing-user-input/try\",\"active\":false},{\"code\":\"VMC\",\"slug\":\"visualize\",\"label\":\"👁 Visualize\",\"href\":\"/codefly/learn/vue/part-3/vue-sanitizing-user-input/visualize\",\"active\":false},{\"code\":\"TCM\",\"slug\":\"complexity\",\"label\":\"⏱ Complexity\",\"href\":\"/codefly/learn/vue/part-3/vue-sanitizing-user-input/complexity\",\"active\":false},{\"code\":\"CMC\",\"slug\":\"challenge\",\"label\":\"🏆 Challenge\",\"href\":\"/codefly/learn/vue/part-3/vue-sanitizing-user-input/challenge\",\"active\":false},{\"code\":\"PMC\",\"slug\":\"project\",\"label\":\"📁 Project\",\"href\":\"/codefly/learn/vue/part-3/vue-sanitizing-user-input/project\",\"active\":false},{\"code\":\"RMC\",\"slug\":\"review\",\"label\":\"🧠 Quick Review\",\"href\":\"/codefly/learn/vue/part-3/vue-sanitizing-user-input/review\",\"active\":false}],\"isLoggedIn\":false,\"seoH1\":\"Sanitizing user input in Vue - Deep Dive\",\"contentData\":{\"pattern_id\":\"vue_sanitizing_user_input\",\"metadata\":{\"slot_map\":{\"LMCWHY\":\"LMCWHY\",\"LMC\":\"LMC\",\"TMC\":\"TMC\",\"CMC\":\"CMC\",\"RMC\":\"RMC\",\"VMC\":\"VMC\",\"TCM\":\"WPM\",\"PMC\":\"PMC\",\"DLM\":\"DLM\"}},\"modes\":{\"DLM\":{\"topic\":\"Sanitizing user input\",\"mode\":\"DLM_v1\",\"language\":\"vue\",\"content_type\":\"Frameworks \u0026 Libraries\",\"overview\":{\"what\":\"Sanitizing user input means cleaning or changing the data users type into your app to make sure it is safe and works well. It removes or changes harmful or unwanted parts, like strange symbols or code that could cause problems. This helps protect your app from attacks and bugs. In Vue, sanitizing input is important because users can type anything, and your app needs to handle it safely.\",\"why_it_matters\":\"Without sanitizing user input, bad data can break your app or let attackers do harmful things like stealing information or changing your site. Imagine if someone typed a secret code that made your app do something dangerous. Sanitizing stops this by checking and cleaning input before it is used. This keeps your app safe and trustworthy for everyone.\",\"where_it_fits\":\"Before learning sanitizing, you should know how to handle user input in Vue, like using forms and binding data. After this, you can learn about validation (checking input rules) and security best practices like authentication. Sanitizing is a key step between getting input and using it safely.\"},\"mental_model\":{\"core_idea\":\"Sanitizing user input is like cleaning dirty water before drinking to keep your app safe and healthy.\",\"analogy\":\"Think of user input as water from a river. It might have dirt, germs, or harmful things. Sanitizing is like filtering and purifying that water so it’s safe to drink and won’t make you sick.\",\"visual\":\"User Input → [Sanitizer: removes harmful parts] → Clean Input → App uses safely\"},\"build_up\":[{\"level\":\"foundation\",\"title\":\"Understanding user input in Vue\",\"concept\":\"Learn how Vue captures and binds user input from forms.\",\"content\":\"In Vue, user input is often captured using v-model on form elements like \u003cinput\u003e or \u003ctextarea\u003e. This creates a two-way binding between the input field and your component's data. For example, \u003cinput v-model=\\\"name\\\" /\u003e keeps the 'name' data updated as the user types.\",\"result\":\"You can see the data change live as you type in the input field.\",\"insight\":\"Knowing how Vue binds input data is essential before you can clean or check that data.\"},{\"level\":\"foundation\",\"title\":\"What makes input unsafe or problematic\",\"concept\":\"Identify common unsafe input types like scripts or special characters.\",\"content\":\"Users can type anything, including HTML tags, JavaScript code, or strange symbols. For example, typing \u003cscript\u003ealert('hi')\u003c/script\u003e could cause your app to run unwanted code if not handled properly. Unsafe input can cause bugs, crashes, or security holes.\",\"result\":\"You understand why raw user input can be dangerous if used directly.\",\"insight\":\"Recognizing unsafe input types helps you see why sanitizing is necessary.\"},{\"level\":\"intermediate\",\"title\":\"Basic sanitizing with built-in JavaScript methods\",\"self_check\":\"Before reading on: do you think simply removing \u003c and \u003e characters is enough to sanitize input? Commit to your answer.\",\"concept\":\"Use simple string methods to remove or replace harmful characters.\",\"content\":\"You can use JavaScript methods like replace() to remove characters like \u003c and \u003e from input strings. For example, input.replace(/\u003c/g, '\u0026lt;').replace(/\u003e/g, '\u0026gt;') changes \u003c and \u003e to safe HTML entities. This prevents browsers from interpreting input as code.\",\"result\":\"Input like \u003cscript\u003e becomes \u0026lt;script\u0026gt;, which shows as text instead of running code.\",\"insight\":\"Understanding basic string replacement is a first step but not always enough for full security.\"},{\"level\":\"intermediate\",\"title\":\"Using libraries for robust sanitizing\",\"self_check\":\"Before reading on: do you think writing your own sanitizer is safer than using a well-tested library? Commit to your answer.\",\"concept\":\"Leverage trusted libraries like DOMPurify to clean input safely and easily.\",\"content\":\"DOMPurify is a popular library that removes dangerous HTML and scripts from input. You can install it and use it in Vue by importing and calling DOMPurify.sanitize(userInput). It handles many edge cases and is regularly updated for security.\",\"result\":\"Input with complex scripts or tags is cleaned safely without breaking your app.\",\"insight\":\"Using a tested library reduces risks and saves time compared to custom solutions.\"},{\"level\":\"intermediate\",\"title\":\"Sanitizing input before rendering in Vue templates\",\"concept\":\"Apply sanitizing to user input before showing it in the app to prevent XSS attacks.\",\"content\":\"When displaying user input in Vue templates, use sanitized data. For example, in your component, create a computed property that returns sanitized input, then bind it in the template with {{ sanitizedInput }}. Avoid using v-html with raw user input unless sanitized.\",\"result\":\"Your app shows user input safely without running harmful code.\",\"insight\":\"Sanitizing before rendering is key to stopping cross-site scripting (XSS) attacks.\"},{\"level\":\"advanced\",\"title\":\"Sanitizing input in Vue with reactive forms\",\"self_check\":\"Before reading on: do you think sanitizing input only on submit is enough, or should it happen as the user types? Commit to your answer.\",\"concept\":\"Integrate sanitizing into reactive form handling for real-time safety.\",\"content\":\"In Vue, you can watch input data with watchers or use computed setters to sanitize input as the user types. This prevents unsafe data from ever entering your app state. For example, a watcher on 'name' can update it with sanitized content immediately.\",\"result\":\"Your app state always holds clean data, reducing risks and bugs.\",\"insight\":\"Sanitizing early in the data flow prevents unsafe data from spreading in your app.\"},{\"level\":\"expert\",\"title\":\"Handling sanitizing with server-side rendering (SSR)\",\"self_check\":\"Before reading on: do you think sanitizing only on the client side is enough when using SSR? Commit to your answer.\",\"concept\":\"Understand sanitizing challenges and strategies when Vue apps render on the server.\",\"content\":\"With SSR, user input might be rendered on the server before reaching the browser. You must sanitize input both on server and client to avoid injecting unsafe content. This means integrating sanitizing libraries in your server code and ensuring consistent sanitizing logic.\",\"result\":\"Your app stays safe regardless of where rendering happens.\",\"insight\":\"Knowing SSR sanitizing prevents security holes that appear only in server-rendered apps.\"}],\"under_the_hood\":{\"mechanism\":\"Sanitizing works by scanning the input string and removing or replacing characters and patterns that could be interpreted as code or harmful instructions. Libraries like DOMPurify parse the input as HTML, then remove dangerous tags, attributes, and scripts before returning safe content. This prevents browsers from executing injected code when rendering.\",\"why_designed_this_way\":\"Sanitizing was designed to protect apps from attacks like cross-site scripting (XSS), where attackers inject malicious code through user input. Early web apps trusted raw input, causing many security breaches. Sanitizing balances allowing rich user content while blocking harmful parts. Libraries evolved to handle complex edge cases browsers allow.\",\"diagram\":\"User Input\\n   ↓\\n[Sanitizer Engine]\\n   ├─ Remove \u003cscript\u003e tags\\n   ├─ Escape special characters\\n   ├─ Strip event handlers (onclick)\\n   └─ Return clean string\\n   ↓\\nSafe Output for Rendering\"},\"misconceptions\":[{\"self_check\":\"Quick: Is escaping \u003c and \u003e characters enough to prevent all XSS attacks? Commit to yes or no.\",\"belief\":\"Escaping \u003c and \u003e characters fully protects against all script injection.\",\"reality\":\"Escaping only \u003c and \u003e is not enough because attackers can use other vectors like event handlers or encoded characters.\",\"why_it_matters\":\"Relying on partial escaping leaves your app vulnerable to attacks that bypass simple filters.\"},{\"self_check\":\"Quick: Should you trust user input after sanitizing it once? Commit to yes or no.\",\"belief\":\"Once input is sanitized, it is always safe to use anywhere in the app.\",\"reality\":\"Sanitized input can become unsafe again if transformed or combined with other data without re-sanitizing.\",\"why_it_matters\":\"Assuming sanitized input is always safe can cause hidden security holes later in the app.\"},{\"self_check\":\"Quick: Is writing your own sanitizer safer than using a popular library? Commit to yes or no.\",\"belief\":\"Custom sanitizers are safer because you control exactly what happens.\",\"reality\":\"Custom sanitizers often miss edge cases and are less tested, making them less safe than well-maintained libraries.\",\"why_it_matters\":\"Using untested sanitizers can introduce new vulnerabilities instead of fixing them.\"},{\"self_check\":\"Quick: Is sanitizing only needed on the client side? Commit to yes or no.\",\"belief\":\"Sanitizing on the client side is enough to protect the app.\",\"reality\":\"Sanitizing must happen on both client and server to prevent attacks from bypassing client checks.\",\"why_it_matters\":\"Ignoring server-side sanitizing allows attackers to inject harmful data directly to the backend.\"}],\"expert_zone\":{\"nuances\":[\"Sanitizing can affect user experience by removing or altering input; balancing security and usability is a subtle art.\",\"Some sanitizers allow configurable policies to permit safe HTML tags while blocking dangerous ones, requiring deep understanding of HTML and security.\",\"Sanitizing performance matters in large apps; knowing when to sanitize once versus multiple times can optimize speed without losing safety.\"],\"when_not_to_use\":\"Sanitizing is not a substitute for validating input correctness or for escaping output in different contexts like URLs or SQL queries. Use validation libraries for rules and context-specific escaping for output. For example, use parameterized queries for databases instead of relying on sanitizing input.\",\"production_patterns\":\"In production Vue apps, sanitizing is often combined with validation and escaping. Developers use libraries like DOMPurify in components and server code, sanitize input on form submission and before rendering with v-html, and integrate sanitizing in Vuex or Pinia stores to keep app state clean. Security audits include testing sanitizing effectiveness.\"},\"connections\":[{\"to_concept\":\"Cross-Site Scripting (XSS)\",\"relationship\":\"Sanitizing input is a primary defense against XSS attacks.\",\"insight\":\"Understanding sanitizing helps grasp how attackers exploit input to run harmful scripts and how to stop them.\"},{\"to_concept\":\"Data Validation\",\"relationship\":\"Sanitizing complements validation by cleaning input after checking its correctness.\",\"insight\":\"Knowing the difference and connection between validation and sanitizing improves overall input handling.\"},{\"to_concept\":\"Water Filtration Systems\",\"relationship\":\"Both filter out harmful elements from a raw source to make it safe for use.\",\"insight\":\"Seeing sanitizing as filtering helps appreciate the layered approach needed for safety.\"}],\"pitfalls\":[{\"mistake\":\"Sanitizing input only when displaying it, not when storing or processing.\",\"incorrect_approach\":\"const userInput = rawInput;\\nconst safeOutput = DOMPurify.sanitize(userInput);\\n// Store rawInput in database\\n// Use rawInput in logic\",\"correct_approach\":\"const safeInput = DOMPurify.sanitize(rawInput);\\n// Store safeInput in database\\n// Use safeInput in logic and display\",\"root_cause\":\"Believing sanitizing is only needed before showing data, ignoring risks during storage or processing.\"},{\"mistake\":\"Using v-html with unsanitized user input directly in Vue templates.\",\"incorrect_approach\":\"\u003cdiv v-html=\\\"userInput\\\"\u003e\u003c/div\u003e \u003c!-- userInput is raw --\u003e\",\"correct_approach\":\"import DOMPurify from 'dompurify';\\nconst safeInput = DOMPurify.sanitize(userInput);\\n\u003cdiv v-html=\\\"safeInput\\\"\u003e\u003c/div\u003e\",\"root_cause\":\"Not understanding that v-html renders raw HTML and can execute scripts if input is unsafe.\"},{\"mistake\":\"Writing a simple replace to remove \u003c and \u003e but missing other dangerous input forms.\",\"incorrect_approach\":\"const safeInput = userInput.replace(/\u003c/g, '').replace(/\u003e/g, '');\",\"correct_approach\":\"import DOMPurify from 'dompurify';\\nconst safeInput = DOMPurify.sanitize(userInput);\",\"root_cause\":\"Underestimating the complexity of input attacks and over-simplifying sanitizing.\"}],\"key_takeaways\":[\"Sanitizing user input cleans harmful parts to keep your Vue app safe from attacks and bugs.\",\"Always sanitize input before using it in your app, especially before rendering with v-html or storing it.\",\"Use trusted libraries like DOMPurify for robust sanitizing instead of writing your own from scratch.\",\"Sanitizing complements validation and escaping but does not replace them; each has its role in security.\",\"Sanitizing must happen both on client and server sides, especially in apps using server-side rendering.\"],\"metadata\":{\"version\":\"1.0\",\"content_type\":\"framework\",\"estimated_time_minutes\":15,\"depth_level\":\"comprehensive\",\"difficulty_ceiling\":\"expert\"}}},\"subject\":\"vue\",\"title\":\"Sanitizing user input\"},\"syllabusData\":{\"part\":\"part-3\",\"subject\":\"vue\",\"difficulty\":\"advanced\",\"metadata\":{\"total_topics\":8,\"total_patterns\":66,\"patterns_with_content\":66,\"created_at\":\"2026-02-28T20:19:04.088870Z\",\"version\":\"4.2\",\"upload_tool\":\"upload_to_mongo.py v2.0\"},\"part_title\":\"Advanced Vue\",\"subjectTitle\":\"Vue\",\"topics\":[{\"topic_id\":\"vue_p3_t1\",\"title\":\"TypeScript with Vue\",\"order\":1,\"pattern_count\":9,\"patterns\":[{\"pattern_id\":\"vue_why_typescript_matters_in_vue\",\"title\":\"Why TypeScript matters in Vue\",\"order\":1,\"has_content\":true},{\"pattern_id\":\"vue_setting_up_typescript_in_vue_project\",\"title\":\"Setting up TypeScript in Vue project\",\"order\":2,\"has_content\":true},{\"pattern_id\":\"vue_typing_component_props\",\"title\":\"Typing component props\",\"order\":3,\"has_content\":true},{\"pattern_id\":\"vue_typing_emits\",\"title\":\"Typing emits\",\"order\":4,\"has_content\":true},{\"pattern_id\":\"vue_typing_ref_and_reactive\",\"title\":\"Typing ref and reactive\",\"order\":5,\"has_content\":true},{\"pattern_id\":\"vue_typing_computed_properties\",\"title\":\"Typing computed properties\",\"order\":6,\"has_content\":true},{\"pattern_id\":\"vue_generic_components\",\"title\":\"Generic components\",\"order\":7,\"has_content\":true},{\"pattern_id\":\"vue_typesafe_stores_with_pinia\",\"title\":\"Type-safe stores with Pinia\",\"order\":8,\"has_content\":true},{\"pattern_id\":\"vue_typing_composables\",\"title\":\"Typing composables\",\"order\":9,\"has_content\":true}]},{\"topic_id\":\"vue_p3_t2\",\"title\":\"Testing Vue Applications\",\"order\":2,\"pattern_count\":9,\"patterns\":[{\"pattern_id\":\"vue_why_testing_vue_apps_matters\",\"title\":\"Why testing Vue apps matters\",\"order\":1,\"has_content\":true},{\"pattern_id\":\"vue_vitest_setup_for_unit_testing\",\"title\":\"Vitest setup for unit testing\",\"order\":2,\"has_content\":true},{\"pattern_id\":\"vue_component_testing_with_vue_test_utils\",\"title\":\"Component testing with Vue Test Utils\",\"order\":3,\"has_content\":true},{\"pattern_id\":\"vue_mounting_components_mount_vs_shallowmount\",\"title\":\"Mounting components (mount vs shallowMount)\",\"order\":4,\"has_content\":true},{\"pattern_id\":\"vue_testing_props_and_events\",\"title\":\"Testing props and events\",\"order\":5,\"has_content\":true},{\"pattern_id\":\"vue_testing_user_interactions\",\"title\":\"Testing user interactions\",\"order\":6,\"has_content\":true},{\"pattern_id\":\"vue_mocking_composables_and_stores\",\"title\":\"Mocking composables and stores\",\"order\":7,\"has_content\":true},{\"pattern_id\":\"vue_testing_async_behavior\",\"title\":\"Testing async behavior\",\"order\":8,\"has_content\":true},{\"pattern_id\":\"vue_snapshot_testing\",\"title\":\"Snapshot testing\",\"order\":9,\"has_content\":true}]},{\"topic_id\":\"vue_p3_t3\",\"title\":\"Server-Side Rendering and Nuxt\",\"order\":3,\"pattern_count\":9,\"patterns\":[{\"pattern_id\":\"vue_why_ssr_matters_for_vue\",\"title\":\"Why SSR matters for Vue\",\"order\":1,\"has_content\":true},{\"pattern_id\":\"vue_ssr_vs_csr_mental_model\",\"title\":\"SSR vs CSR mental model\",\"order\":2,\"has_content\":true},{\"pattern_id\":\"vue_nuxt_framework_overview\",\"title\":\"Nuxt framework overview\",\"order\":3,\"has_content\":true},{\"pattern_id\":\"vue_nuxt_project_structure\",\"title\":\"Nuxt project structure\",\"order\":4,\"has_content\":true},{\"pattern_id\":\"vue_pages_and_filebased_routing\",\"title\":\"Pages and file-based routing\",\"order\":5,\"has_content\":true},{\"pattern_id\":\"vue_server_routes_and_api\",\"title\":\"Server routes and API\",\"order\":6,\"has_content\":true},{\"pattern_id\":\"vue_nuxt_data_fetching_usefetch_useasyncdata\",\"title\":\"Nuxt data fetching (useFetch, useAsyncData)\",\"order\":7,\"has_content\":true},{\"pattern_id\":\"vue_hydration_behavior\",\"title\":\"Hydration behavior\",\"order\":8,\"has_content\":true},{\"pattern_id\":\"vue_static_site_generation_with_nuxt\",\"title\":\"Static site generation with Nuxt\",\"order\":9,\"has_content\":true}]},{\"topic_id\":\"vue_p3_t4\",\"title\":\"Performance Optimization\",\"order\":4,\"pattern_count\":9,\"patterns\":[{\"pattern_id\":\"vue_why_vue_performance_matters\",\"title\":\"Why Vue performance matters\",\"order\":1,\"has_content\":true},{\"pattern_id\":\"vue_virtual_dom_and_diffing_mental_model\",\"title\":\"Virtual DOM and diffing mental model\",\"order\":2,\"has_content\":true},{\"pattern_id\":\"vue_vonce_for_static_content\",\"title\":\"v-once for static content\",\"order\":3,\"has_content\":true},{\"pattern_id\":\"vue_vmemo_for_conditional_memoization\",\"title\":\"v-memo for conditional memoization\",\"order\":4,\"has_content\":true},{\"pattern_id\":\"vue_lazy_loading_components\",\"title\":\"Lazy loading components\",\"order\":5,\"has_content\":true},{\"pattern_id\":\"vue_keepalive_for_expensive_components\",\"title\":\"Keep-alive for expensive components\",\"order\":6,\"has_content\":true},{\"pattern_id\":\"vue_virtual_scrolling_for_large_lists\",\"title\":\"Virtual scrolling for large lists\",\"order\":7,\"has_content\":true},{\"pattern_id\":\"vue_bundle_analysis_and_tree_shaking\",\"title\":\"Bundle analysis and tree shaking\",\"order\":8,\"has_content\":true},{\"pattern_id\":\"vue_computed_vs_method_performance\",\"title\":\"Computed vs method performance\",\"order\":9,\"has_content\":true}]},{\"topic_id\":\"vue_p3_t5\",\"title\":\"Render Functions and JSX\",\"order\":5,\"pattern_count\":7,\"patterns\":[{\"pattern_id\":\"vue_why_render_functions_exist\",\"title\":\"Why render functions exist\",\"order\":1,\"has_content\":true},{\"pattern_id\":\"vue_h_function_for_creating_vnodes\",\"title\":\"h function for creating vnodes\",\"order\":2,\"has_content\":true},{\"pattern_id\":\"vue_render_function_syntax\",\"title\":\"Render function syntax\",\"order\":3,\"has_content\":true},{\"pattern_id\":\"vue_jsx_in_vue_components\",\"title\":\"JSX in Vue components\",\"order\":4,\"has_content\":true},{\"pattern_id\":\"vue_functional_components\",\"title\":\"Functional components\",\"order\":5,\"has_content\":true},{\"pattern_id\":\"vue_render_functions_vs_templates_decision\",\"title\":\"Render functions vs templates decision\",\"order\":6,\"has_content\":true},{\"pattern_id\":\"vue_dynamic_render_patterns\",\"title\":\"Dynamic render patterns\",\"order\":7,\"has_content\":true}]},{\"topic_id\":\"vue_p3_t6\",\"title\":\"Advanced Reactivity Patterns\",\"order\":6,\"pattern_count\":8,\"patterns\":[{\"pattern_id\":\"vue_why_advanced_reactivity_matters\",\"title\":\"Why advanced reactivity matters\",\"order\":1,\"has_content\":true},{\"pattern_id\":\"vue_custom_refs_with_customref\",\"title\":\"Custom refs with customRef\",\"order\":2,\"has_content\":true},{\"pattern_id\":\"vue_effective_scope_for_cleanup\",\"title\":\"Effective scope for cleanup\",\"order\":3,\"has_content\":true},{\"pattern_id\":\"vue_trigger_and_track_for_manual_reactivity\",\"title\":\"Trigger and track for manual reactivity\",\"order\":4,\"has_content\":true},{\"pattern_id\":\"vue_computed_with_getter_and_setter\",\"title\":\"Computed with getter and setter\",\"order\":5,\"has_content\":true},{\"pattern_id\":\"vue_reactive_map_and_set\",\"title\":\"Reactive Map and Set\",\"order\":6,\"has_content\":true},{\"pattern_id\":\"vue_debounced_watchers_pattern\",\"title\":\"Debounced watchers pattern\",\"order\":7,\"has_content\":true},{\"pattern_id\":\"vue_state_machines_with_composables\",\"title\":\"State machines with composables\",\"order\":8,\"has_content\":true}]},{\"topic_id\":\"vue_p3_t7\",\"title\":\"Advanced Component Patterns\",\"order\":7,\"pattern_count\":8,\"patterns\":[{\"pattern_id\":\"vue_why_advanced_patterns_matter\",\"title\":\"Why advanced patterns matter\",\"order\":1,\"has_content\":true},{\"pattern_id\":\"vue_renderless_components\",\"title\":\"Renderless components\",\"order\":2,\"has_content\":true},{\"pattern_id\":\"vue_higherorder_components_concept\",\"title\":\"Higher-order components concept\",\"order\":3,\"has_content\":true},{\"pattern_id\":\"vue_compound_components_pattern\",\"title\":\"Compound components pattern\",\"order\":4,\"has_content\":true},{\"pattern_id\":\"vue_recursive_components\",\"title\":\"Recursive components\",\"order\":5,\"has_content\":true},{\"pattern_id\":\"vue_suspense_for_async_components\",\"title\":\"Suspense for async components\",\"order\":6,\"has_content\":true},{\"pattern_id\":\"vue_error_boundaries_with_onerrorcaptured\",\"title\":\"Error boundaries with onErrorCaptured\",\"order\":7,\"has_content\":true},{\"pattern_id\":\"vue_dependency_injection_patterns\",\"title\":\"Dependency injection patterns\",\"order\":8,\"has_content\":true}]},{\"topic_id\":\"vue_p3_t8\",\"title\":\"Security and Deployment\",\"order\":8,\"pattern_count\":7,\"patterns\":[{\"pattern_id\":\"vue_why_security_matters_in_vue\",\"title\":\"Why security matters in Vue\",\"order\":1,\"has_content\":true},{\"pattern_id\":\"vue_xss_prevention_in_templates\",\"title\":\"XSS prevention in templates\",\"order\":2,\"has_content\":true},{\"pattern_id\":\"vue_sanitizing_user_input\",\"title\":\"Sanitizing user input\",\"order\":3,\"has_content\":true},{\"pattern_id\":\"vue_environment_variables_management\",\"title\":\"Environment variables management\",\"order\":4,\"has_content\":true},{\"pattern_id\":\"vue_build_optimization_for_production\",\"title\":\"Build optimization for production\",\"order\":5,\"has_content\":true},{\"pattern_id\":\"vue_deployment_to_static_hosting\",\"title\":\"Deployment to static hosting\",\"order\":6,\"has_content\":true},{\"pattern_id\":\"vue_docker_deployment_for_vue_apps\",\"title\":\"Docker deployment for Vue apps\",\"order\":7,\"has_content\":true}]}]},\"modeCode\":\"DLM\",\"productId\":\"codefly\"}]]\n"])</script><script>self.__next_f.push([1,"13:[[\"$\",\"meta\",\"0\",{\"name\":\"viewport\",\"content\":\"width=device-width, initial-scale=1\"}],[\"$\",\"meta\",\"1\",{\"charSet\":\"utf-8\"}],[\"$\",\"title\",\"2\",{\"children\":\"Sanitizing user input in Vue - Deep Dive: Internals \u0026 How It Works | Leyaa.ai\"}],[\"$\",\"meta\",\"3\",{\"name\":\"description\",\"content\":\"Go deep on Sanitizing user input in Vue. Internals, mental models, under-the-hood mechanics, misconceptions, common pitfalls, and production patterns. For serious learners.\"}],[\"$\",\"meta\",\"4\",{\"name\":\"author\",\"content\":\"Leyaa.ai\"}],[\"$\",\"link\",\"5\",{\"rel\":\"manifest\",\"href\":\"/manifest.json\",\"crossOrigin\":\"use-credentials\"}],[\"$\",\"meta\",\"6\",{\"name\":\"keywords\",\"content\":\"learning intelligence,AI learning,personalized learning,adaptive learning,study guide,exam preparation,learning platform,education technology,edtech,smart learning\"}],[\"$\",\"meta\",\"7\",{\"name\":\"creator\",\"content\":\"Leyaa.ai\"}],[\"$\",\"meta\",\"8\",{\"name\":\"publisher\",\"content\":\"Leyaa.ai\"}],[\"$\",\"meta\",\"9\",{\"name\":\"robots\",\"content\":\"index, follow\"}],[\"$\",\"meta\",\"10\",{\"name\":\"googlebot\",\"content\":\"index, follow, max-image-preview:large, max-snippet:-1\"}],[\"$\",\"meta\",\"11\",{\"name\":\"content-language\",\"content\":\"en\"}],[\"$\",\"link\",\"12\",{\"rel\":\"canonical\",\"href\":\"https://leyaa.ai/codefly/learn/vue/part-3/vue-sanitizing-user-input/deep\"}],[\"$\",\"link\",\"13\",{\"rel\":\"alternate\",\"hrefLang\":\"en\",\"href\":\"https://leyaa.ai/codefly/learn/vue/part-3/vue-sanitizing-user-input/deep\"}],[\"$\",\"link\",\"14\",{\"rel\":\"alternate\",\"hrefLang\":\"x-default\",\"href\":\"https://leyaa.ai/codefly/learn/vue/part-3/vue-sanitizing-user-input/deep\"}],[\"$\",\"meta\",\"15\",{\"property\":\"og:title\",\"content\":\"Sanitizing user input in Vue - Deep Dive: Internals \u0026 How It Works | Leyaa.ai\"}],[\"$\",\"meta\",\"16\",{\"property\":\"og:description\",\"content\":\"Go deep on Sanitizing user input in Vue. Internals, mental models, under-the-hood mechanics, misconceptions, common pitfalls, and production patterns. For serious learners.\"}],[\"$\",\"meta\",\"17\",{\"property\":\"og:url\",\"content\":\"https://leyaa.ai/codefly/learn/vue/part-3/vue-sanitizing-user-input/deep\"}],[\"$\",\"meta\",\"18\",{\"property\":\"og:locale\",\"content\":\"en_US\"}],[\"$\",\"meta\",\"19\",{\"property\":\"og:image\",\"content\":\"https://leyaa.ai/Assets/metaImages/leyaa-preview-image.png\"}],[\"$\",\"meta\",\"20\",{\"property\":\"og:image:width\",\"content\":\"1200\"}],[\"$\",\"meta\",\"21\",{\"property\":\"og:image:height\",\"content\":\"630\"}],[\"$\",\"meta\",\"22\",{\"property\":\"og:image:alt\",\"content\":\"Sanitizing user input in Vue - Deep Dive: Internals \u0026 How It Works\"}],[\"$\",\"meta\",\"23\",{\"property\":\"og:type\",\"content\":\"article\"}],[\"$\",\"meta\",\"24\",{\"name\":\"twitter:card\",\"content\":\"summary_large_image\"}],[\"$\",\"meta\",\"25\",{\"name\":\"twitter:site\",\"content\":\"@leyaaai\"}],[\"$\",\"meta\",\"26\",{\"name\":\"twitter:creator\",\"content\":\"@leyaaai\"}],[\"$\",\"meta\",\"27\",{\"name\":\"twitter:title\",\"content\":\"Sanitizing user input in Vue - Deep Dive: Internals \u0026 How It Works | Leyaa.ai\"}],[\"$\",\"meta\",\"28\",{\"name\":\"twitter:description\",\"content\":\"Go deep on Sanitizing user input in Vue. Internals, mental models, under-the-hood mechanics, misconceptions, common pitfalls, and production patterns. For serious learners.\"}],[\"$\",\"meta\",\"29\",{\"name\":\"twitter:image\",\"content\":\"https://leyaa.ai/Assets/metaImages/leyaa-preview-image.png\"}],[\"$\",\"link\",\"30\",{\"rel\":\"icon\",\"href\":\"/leyaa-logo.png\"}],[\"$\",\"link\",\"31\",{\"rel\":\"apple-touch-icon\",\"href\":\"/leyaa-logo.png\"}],[\"$\",\"meta\",\"32\",{\"name\":\"next-size-adjust\"}]]\n"])</script><script>self.__next_f.push([1,"6:null\n"])</script></body></html>