diff --git a/caracal.js b/caracal.js
index 3568594..bf44059 100644
--- a/caracal.js
+++ b/caracal.js
@@ -12,6 +12,7 @@ const iipHandler = require('./handlers/iipHandler.js');
 const loaderHandler = require('./handlers/loaderHandler.js');
 const permissionHandler = require('./handlers/permssionHandler.js');
 const dataHandlers = require('./handlers/dataHandlers.js');
+const sanitizeBody = require('./handlers/sanitizeHandler.js');
 // TODO validation of data
 
 var WORKERS = process.env.NUM_THREADS || 4;
@@ -57,6 +58,8 @@ app.use('/loader/', loaderHandler);
 
 // data, mongo
 app.use('/data', auth.loginHandler(auth.PUBKEY));
+// sanitize
+app.use("/data", sanitizeBody);
 // slide
 app.get('/data/Slide/find', dataHandlers.Slide.find);
 app.get('/data/Slide/find', auth.filterHandler('data', 'userFilter', 'filter'));
@@ -167,7 +170,7 @@ app.use(function(err, req, res, next) {
   // wrap strings in a json
   if (typeof err === 'string' || err instanceof String) {
     err = {'error': err};
-    console.error(err)
+    console.error(err);
   } else {
     console.error(err.error || err.message || err.toString());
   }
diff --git a/handlers/authHandlers.js b/handlers/authHandlers.js
index f67ab27..e748bb6 100644
--- a/handlers/authHandlers.js
+++ b/handlers/authHandlers.js
@@ -71,7 +71,7 @@ if (DISABLE_SEC && !JWK_URL) {
 } else {
   console.error('need JWKS URL (JWK_URL)');
   process.exit(1);
-}  
+}
 
 const getToken = function(req) {
   if (req.headers.authorization &&
diff --git a/handlers/sanitizeHandler.js b/handlers/sanitizeHandler.js
new file mode 100644
index 0000000..575d07b
--- /dev/null
+++ b/handlers/sanitizeHandler.js
@@ -0,0 +1,20 @@
+var ERR_ON_SANITIZE = (process.env.ERR_ON_SANITIZE === 'true') || false;
+
+function sanitizeBody(req, res, next) {
+  // handle req body edgecases
+  if (ERR_ON_SANITIZE) {
+    if (req.body.indexOf("<") >=0 || req.body.indexOf(">") >=0) {
+      let e = {'statusCode': 400};
+      e.error = 'Characters < and > disallowed in body.';
+      next(e);
+    } else {
+      next();
+    }
+  } else {
+    req.body = req.body.replace(/</g, "");
+    req.body = req.body.replace(/>/g, "");
+    next();
+  }
+}
+
+module.exports = sanitizeBody;