Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Encoding user input to be stored in MongoDB

I'm trying to determine the best practices for storing and displaying user input in MongoDB. Obviously, in SQL databases, all user input needs to be encoded to prevent injection attacks. However, my understanding is that with MongoDB we need to be more worried about XSS attacks, so does user input need to be encoded on the server before being stored in mongo? Or, is it enough to simply encode the string immediately before it is displayed on the client side using a template library like handlebars?

Here's the flow I'm talking about:

  1. On the client side, user updates their name to "<script>alert('hi');</script>".
    • Does this need to be escaped to "&lt;script&gt;alert(&#x27;hi&#x27;);&lt;&#x2F;script&gt;" before sending it to the server?
  2. The updated string is passed to the server in a JSON document via an ajax request.
  3. The server stores the string in mongodb under "user.name".
    • Does the server need to escape the string in the same way just to be safe? Would it have to first un-escape the string before fully escaping so as to not double up on the '&'?
  4. Later, user info is requested by client, and the name string is sent in JSON ajax response.
  5. Immediately before display, user name is encoded using something like _.escape(name).

Would this flow display the correct information and be safe from XSS attacks? What about about unicode characters like Chinese characters?

This also could change how text search would need to be done, as the search term may need to be encoded before starting the search if all user text is encoded.

Thanks a lot!

like image 351
Ethan Avatar asked Mar 10 '14 22:03

Ethan


People also ask

In which format data is stored in MongoDB?

MongoDB stores data in BSON format both internally, and over the network, but that doesn't mean you can't think of MongoDB as a JSON database.

How does MongoDB store JSON data?

MongoDB uses BSON to store data. While JSON and BSON have slight differences such as availability of data types and readability, they can easily be converted into each other. The process to import JSON into MongoDB depends on the operating system and the programming language you are using.

Which of the following format is supported by MongoDB?

Explanation: MongoDB supports JSON format compared to XML.


1 Answers

Does this need to be escaped to "&lt;script&gt;alert(&#x27;hi&#x27;);&lt;&#x2F;script&gt;" before sending it to the server?

No, it has to be escaped like that just before it ends up in an HTML page - step (5) above.

The right type of escaping has to be applied when text is injected into a new surrounding context. That means you HTML-encode data at the moment you include it in an HTML page. Ideally you are using a modern templating system that will do that escaping for you automatically.

(Similarly if you include data in a JavaScript string literal in a <script> block, you have to JS-encode it; if you include data in in a stylesheet rule you have to CSS-encode it, and so on. If we were using SQL queries with data injected into their strings then we would need to do SQL-escaping, but luckily Mongo queries are typically done with JavaScript objects rather than a string language, so there is no escaping to worry about.)

The database is not an HTML context so HTML-encoding input data on the way to the database is not the right thing to do.

(There are also other sources of XSS than injections, most commonly unsafe URL schemes.)

like image 177
bobince Avatar answered Sep 19 '22 12:09

bobince