I’m looking to use Netlify for a simple one-page site with a form to submit a brief message. I’m looking at the Forms setup | Netlify Docs and the basic HTML form to make the site quick to deploy.
Does Netlify sanitize or render submitted data on the dashboard in such a way to prevent cross-site scripting? I’d like to have the form submitted, and use the Netlify hooks to send it on to a Gmail address, but want to understand extra steps this might require.
I’ve read through the Forms documentation and it doesn’t specifically call this out.
I totally get your concern about security, especially when it comes to form submissions and potential cross-site scripting (XSS) threats, so I thought I’d bring some additional context.
Our form handling is built to keep things safe both on our end and on yours. We use Ruby on Rails and Rack’s html_escape utility to sanitize form submissions. This means any code that gets submitted, like <script> tags or anything else that could be harmful, is neutralized before it even becomes rendered by the Netlify dashboard.
For instance, if someone tries sneaking in a script through your form like this:
<script>alert('Nice try!');</script>
It gets transformed into something harmless that looks like this:
<script>alert('Nice try!')</script>
So, it’s stored and displayed as just text, no execution. This way, when Netlify notifies you of a new submission or you use a hook to forward your form data somewhere, you’re only getting safe, sanitized content.
If you’ve got more questions or need specifics, we’re here to help keep you and your customers safe.
.