Is there any sanitization of mutation data happening on the backend to protect against XSS or SQL injection?
We enforce a number of SQL injection checks on all operations that happen to protect 8base and the workspace DB.
In regards to XSS, it’s more of a client side issue that you must protect against. Being a hosted database, we have to save/return what you send to us. Therefore, if you persist a string like ‘[script]alert(“ouch”)[/script]’ we’re not going to escape it. You’ll need to make sure it’s handled appropriately in your client.
*In my example, this forum escaped the tags