Encoding user input to be stored in MongoDB

Question

I'm trying to determine the best practices for storing and displaying user input in MongoDB. Obviously, in SQL databases, all user input needs to be encoded to prevent injection attacks. However, my understanding is that with MongoDB we need to be more worried about XSS attacks, so does user input need to be encoded on the server before being stored in mongo? Or, is it enough to simply encode the string immediately before it is displayed on the client side using a template library like handlebars?

Here's the flow I'm talking about:

1. On the client side, user updates their name to "<script>alert('hi');</script>".
   • Does this need to be escaped to "&lt;script&gt;alert(&#x27;hi&#x27;);&lt;&#x2F;script&gt;" before sending it to the server?
2. The updated string is passed to the server in a JSON document via an ajax request.
3. The server stores the string in mongodb under "user.name".
   • Does the server need to escape the string in the same way just to be safe? Would it have to first un-escape the string before fully escaping so as to not double up on the '&'?
4. Later, user info is requested by client, and the name string is sent in JSON ajax response.
5. Immediately before display, user name is encoded using something like _.escape(name).

Would this flow display the correct information and be safe from XSS attacks? What about about unicode characters like Chinese characters?

This also could change how text search would need to be done, as the search term may need to be encoded before starting the search if all user text is encoded.

Thanks a lot!

Answer 1

Does this need to be escaped to "<script>alert('hi');</script>" before sending it to the server?

No, it has to be escaped like that just before it ends up in an HTML page - step (5) above.

The right type of escaping has to be applied when text is injected into a new surrounding context. That means you HTML-encode data at the moment you include it in an HTML page. Ideally you are using a modern templating system that will do that escaping for you automatically.

(Similarly if you include data in a JavaScript string literal in a <script> block, you have to JS-encode it; if you include data in in a stylesheet rule you have to CSS-encode it, and so on. If we were using SQL queries with data injected into their strings then we would need to do SQL-escaping, but luckily Mongo queries are typically done with JavaScript objects rather than a string language, so there is no escaping to worry about.)

The database is not an HTML context so HTML-encoding input data on the way to the database is not the right thing to do.

(There are also other sources of XSS than injections, most commonly unsafe URL schemes.)