KB Building Forms & data handling

Forms & data handling draft

How we build forms and handle submitted data so spam, injection, and data-handling mistakes don't ship.

Use this when

Adding any form that accepts user input — contact, signup, lead capture, payment.

Definition of done

Spam-protected, input never rendered unsanitized, queries parameterized, and any payment routed through a PCI-DSS-compliant gateway.

Requirements

  1. Spam: every form has CAPTCHA and a honeypot field.
  2. Output safety: submitted values are never echoed into a page unsanitized. → Security baseline
  3. SQL injection: any server-side query uses parameterized statements; audit the data store.
  4. Payments: use a recognized PCI-DSS-compliant processor (Stripe, PayPal) — never handle card data directly.
  5. Personal data: host on infrastructure meeting recognized standards (e.g. ISO 27018) when storing personal data.

Gotchas

Stored XSS is the worst case for forms — unsanitized input saved once is served to every later visitor. Sanitize on render, not just on submit.

Why & sources

From Webflow's security checklist and the OWASP/MDN write-up: Web security for client sites.