Security question

**risoknop** · Apr 8, 2009 06:42

Hello.

Is it safe to store XHTML code in a database?

What I usually do is store XHTML in the database and then just use htmlspecialchars() when outputting it on the website.

Is that a safe practise or are there any security risks?

**Jake Arkinstall** · Apr 8, 2009 06:46

Do you want to output the (X)HTML to show to the user, or as part of the site's (X)HTML?

**risoknop** · Apr 8, 2009 06:50

Originally Posted by arkinstall

Do you want to output the (X)HTML to show to the user, or as part of the site's (X)HTML?

Yes.

I should probably use some filtering library to filter the XHTML or not?

**risoknop** · Apr 8, 2009 06:57

To clarify, yes and no... Sometimes I want to display XHTML to the users (I do that with htmlspecialchars()) but sometimes I just want to incorporate it in the website...

I guess only the latter poses security threat (XSS)?

**Jake Arkinstall** · Apr 8, 2009 07:05

Correct. The former, if escaped, will be perfectly fine because the escaped tags will not be executed.

The latter does have a bit of an issue. What I would recommend is that you scan all links and images for sources of javascript, and obviously remove script and maybe style tags.

You would run that when the page is being displayed, but of course that adds to load. Another solution would be to run it when things are inserted or updated, but that leaves you more vulnerable if someone gains DB access. Another solution maybe to run a cronjob quite often which searches for any rows with '<script', 'href="javascript:"' etc tags.

**risoknop** · Apr 8, 2009 08:45

Originally Posted by arkinstall

Correct. The former, if escaped, will be perfectly fine because the escaped tags will not be executed.

The latter does have a bit of an issue. What I would recommend is that you scan all links and images for sources of javascript, and obviously remove script and maybe style tags.

You would run that when the page is being displayed, but of course that adds to load. Another solution would be to run it when things are inserted or updated, but that leaves you more vulnerable if someone gains DB access. Another solution maybe to run a cronjob quite often which searches for any rows with '<script', 'href="javascript:"' etc tags.

What about using some library like HTMLPurifier to filter the XHTML before saving it to the database?

**Jake Arkinstall** · Apr 8, 2009 09:14

Looks good.

Of course you'd need precautions in place just in the case of someone gaining direct access to the database...

**sk89q** · Apr 8, 2009 10:39

I think there's some confusion between storing the XHTML in the database and outputting it. You don't have to purify it or do anything to the XHTML when you put it into the database because the database does not care. It will not act on it. When you output it, the browser does care, because it will parse the XHTML. That means that you can purifier the XHTML either before or after you store it in the database.

With proper security practices, you shouldn't need to take those precautions. You probably have bigger problems on your hands if that happens.

User Tag List

Thread: Security question

Thread Tools

Display

Security question

Bookmarks

Bookmarks

Posting Permissions