Menu
I am using http://ckeditor.com/ in a small PHP/MySQL forum I built. My questions:
Is it safe to save user-created HTML like this in the database and then re-display it in my application? What precautions should I take to keep the users of my forum safe from script injection and the like?
<p>test</p>
<span style="font-size: 14px;">test</span>
Would it be safer to use BBCode instead of HTML? I tried the ckeditor bbcode plugin but it lacks some basic formatting like text alignment ... Does anyone know how to extend the plugin to add text alignment to it?
778
For your first question, there are two main things you need to do:
Safely save the user content to your database so that you are not vulnerable to a SQL injection attack. See this SO question for how best to handle that => Best way to stop SQL Injection in PHP.
Prevent someone from submitting unsafe HTML to your database that would then be re-displayed to your users and make them vulnerable to an XSS attack. There are plenty of questions that deal with that here on SO. Here's one => XSS Prevention in PHP.
140
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
