I have a simple User-like Ecto schema backed up by a PostgreSQL database. There is a :bio field that is of type :text. I have other fields for things like :first_name of type :string and I’ve started adding validations like
validate_length(:first_name, max: 255)
to make sure any changesets are more honest about expectations. I’m considering something similar for the :bio field but wanted to ask for guidance.
Any thoughts? Is it a good idea to put some cap on the content length to help with abuse, security or performance concerns?
Probably not if it was just a performance concern, as it likely won’t actually be…
However,
If your threat model includes malicious actors trying to run you out of disk via that ‘bio’ field, a length check in the changeset would be reasonable. It’s important to communicate that up front when a user starts filling it in so they don’t get cut off early.
The security of the field/contents is also more of a frontend concern, does the bio contain HTML or some encoding that may introduce XSS or other code exec vulnerabilities? If so, some form of sanitization is required for sure…
Depending on the front end tech in place, and if it is sanitizing strings before writing to DOM (eex,react) by default AND the field is just text, could rely on the rendering engine to sanitize the bio field of potentially malicious HTML/JS…
A layered defense is always the best approach though. And performing some sort of threat model to understand whom you are defending against is important when making these kinds of decisions…
