HTML
HTML is pretty safe. It is simply converted into text—no interaction with the
server or calculations—so not much can go wrong. That said, you should
always use HTML for what it’s for:
- HTML structures your content.
HTML is not a database to store information. The reason it is not is
because you cannot rely on HTML content to stay unchanged. Anyone
could use browser debugging tools to mess around with your HTML
and change the content. So you run into security issues with JavaScript
solutions that rely on data in the HTML and don’t check the server for
what that data is allowed to be. - HTML is fully visible.
Don’t use comments in the HTML to store sensitive information, and
don’t comment out sections of a page that are not ready yet but that
point to parts of an application that are in progress. - Hiding things doesn’t make them go away.
Even if you hide information with CSS or JavaScript, some people can
get it anyway. HTML is not there to give your application functionality;
that should always happen on the server.
A wonderful example of insecure HTML was the drop-down menu on the
website of a certain airline. This menu let you define the seating class you
wanted to fly in as the last step before printing your voucher. The website
rendered the HTML of the drop-down menu and commented out the
sections that were not available for the price you had selected: