How sanitize html content in Supabase (XSS, malformed, ...)

I plan to add the possibility to the user to make rich text comment (with bold, title, ...) but the output is an html. So I need to store the content, but how can I be sure there is no problem with the content saved ? No XSS, no malformed etc... Any idea for the good nd secure worflow ?

loupOP•12/4/25, 5:10 PM

My idea is to create a edge function to sanitize the html content and calling it with a trigger during insert or update of the comment. But calling it during insert gonna block the table for others users during the edge function runtime right ?

Lloup My idea is to create a edge function to sanitize the html content and calling it...

ibrahim•12/4/25, 6:48 PM

I think the edge function could work in the background, why not send it to the edge function first instead of doing a trigger and check the html. You can also make sure it is not malformed client side which actually might be quicker from a UX perspective

vick•12/4/25, 7:22 PM

Sanitizing HTML is going to be very difficult. If you just want text styling, then I will suggest your native storage format be Markdown, and you use a markdown to HTML formatter that you can control. For example, if you do not want to allow URL links, you can tell the formatter to treat those as plain text instead. Things like that. Since you control the HTML creation, your ability to sanitize it is greatly improved and possibly unnecessary. Still, when using the HTML you can use a library like DOMPurifyDOMPurify to try and prevent HTML injection attacks.

Since you tagged edge functions, I see you are using javascript. I use the markedmarked library for converting markdown to HTML. Also,I use MDXeditorMDXeditor for user input of markdown (it has many switches to limit what the user can do) in my app. There is no shortage of options here if you don't like these ones.

Iibrahim I think the edge function could work in the background, why not send it to the e...

loupOP•12/4/25, 11:42 PM

Yes of course, but I wanna add server-side security too for preventing html injection attacks

Vvick Sanitizing HTML is going to be very difficult. If you just want text styling, th...

loupOP•12/4/25, 11:43 PM

Right now, my web using Tiptap with ProseMirror format. But I need to add mobile app, and the only native rich text editor is react-native-enriched which only have htlm support (input and output)

vick•12/11/25, 4:44 PM

I've been using mdxeditormdxeditor for rich text editing. It renders ok on mobile.

How sanitize html content in Supabase (XSS, malformed, ...)

Similar Threads

Similar Threads

Similar Threads