Best practice. Do I save html tags in DB or store the html entity value?

Question

I was wondering about which way i should do the following. I am using the tiny MCE wysiwyg editor which formats the users data with the right html tags. Now, i need to save this data entered into the editor into a database table.

Should I encode the html tags to their corresponding entities when inserting into the DB, then when i get the data back from the table, not have the encode it for XSS purposes but I'd still have to use eval for the html tags to format the text.

OR

Do i save the html tags into the database, then when i get the data back from the database encode the html tags to their entities, but then as the tags will appear to the user, I'd have to use the eval function to actually format the data as it was entered.

My thoughts are with the first option, I just wondered on what you guys thought.

Answer 1

I would suggest storing the data in the database in as close to it's "natural" form as possible. Generally your database layer should not be concerned with whether a field contains HTML, Base64 Encoded Binary text, or just plain text. These are concerns for your view layer, when it decides how to render the content.

Thus, while you might want to do some preliminary screening for XSS attacks before you insert into the database, you should always screen for XSS before you send "untrusted" information to the browser.

This also has the advantage that if your XSS prevention algorithms improve in the future, you can implement it across your entire application just by changing the routines that display it, instead of having to scan your database for fields that might contain HTML, and then update them.