SitePoint Sponsor

User Tag List

Results 1 to 8 of 8
  1. #1
    SitePoint Guru risoknop's Avatar
    Join Date
    Feb 2008
    Location
    end($world)
    Posts
    834
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Security question

    Hello.

    Is it safe to store XHTML code in a database?

    What I usually do is store XHTML in the database and then just use htmlspecialchars() when outputting it on the website.

    Is that a safe practise or are there any security risks?

  2. #2
    Theoretical Physics Student bronze trophy Jake Arkinstall's Avatar
    Join Date
    May 2006
    Location
    Lancaster University, UK
    Posts
    7,062
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    Do you want to output the (X)HTML to show to the user, or as part of the site's (X)HTML?
    Jake Arkinstall
    "Sometimes you don't need to reinvent the wheel;
    Sometimes its enough to make that wheel more rounded"-Molona

  3. #3
    SitePoint Guru risoknop's Avatar
    Join Date
    Feb 2008
    Location
    end($world)
    Posts
    834
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by arkinstall View Post
    Do you want to output the (X)HTML to show to the user, or as part of the site's (X)HTML?
    Yes.

    I should probably use some filtering library to filter the XHTML or not?

  4. #4
    SitePoint Guru risoknop's Avatar
    Join Date
    Feb 2008
    Location
    end($world)
    Posts
    834
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    To clarify, yes and no... Sometimes I want to display XHTML to the users (I do that with htmlspecialchars()) but sometimes I just want to incorporate it in the website...

    I guess only the latter poses security threat (XSS)?

  5. #5
    Theoretical Physics Student bronze trophy Jake Arkinstall's Avatar
    Join Date
    May 2006
    Location
    Lancaster University, UK
    Posts
    7,062
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    Correct. The former, if escaped, will be perfectly fine because the escaped tags will not be executed.

    The latter does have a bit of an issue. What I would recommend is that you scan all links and images for sources of javascript, and obviously remove script and maybe style tags.

    You would run that when the page is being displayed, but of course that adds to load. Another solution would be to run it when things are inserted or updated, but that leaves you more vulnerable if someone gains DB access. Another solution maybe to run a cronjob quite often which searches for any rows with '<script', 'href="javascript:"' etc tags.
    Jake Arkinstall
    "Sometimes you don't need to reinvent the wheel;
    Sometimes its enough to make that wheel more rounded"-Molona

  6. #6
    SitePoint Guru risoknop's Avatar
    Join Date
    Feb 2008
    Location
    end($world)
    Posts
    834
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by arkinstall View Post
    Correct. The former, if escaped, will be perfectly fine because the escaped tags will not be executed.

    The latter does have a bit of an issue. What I would recommend is that you scan all links and images for sources of javascript, and obviously remove script and maybe style tags.

    You would run that when the page is being displayed, but of course that adds to load. Another solution would be to run it when things are inserted or updated, but that leaves you more vulnerable if someone gains DB access. Another solution maybe to run a cronjob quite often which searches for any rows with '<script', 'href="javascript:"' etc tags.
    What about using some library like HTMLPurifier to filter the XHTML before saving it to the database?

  7. #7
    Theoretical Physics Student bronze trophy Jake Arkinstall's Avatar
    Join Date
    May 2006
    Location
    Lancaster University, UK
    Posts
    7,062
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    Looks good.

    Of course you'd need precautions in place just in the case of someone gaining direct access to the database...
    Jake Arkinstall
    "Sometimes you don't need to reinvent the wheel;
    Sometimes its enough to make that wheel more rounded"-Molona

  8. #8
    SitePoint Wizard
    Join Date
    Mar 2008
    Posts
    1,149
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I think there's some confusion between storing the XHTML in the database and outputting it. You don't have to purify it or do anything to the XHTML when you put it into the database because the database does not care. It will not act on it. When you output it, the browser does care, because it will parse the XHTML. That means that you can purifier the XHTML either before or after you store it in the database.

    With proper security practices, you shouldn't need to take those precautions. You probably have bigger problems on your hands if that happens.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •