Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Encoding user input to be stored in MongoDB

Tags:

python

javascript

ajax

mongodb

unicode

I'm trying to determine the best practices for storing and displaying user input in MongoDB. Obviously, in SQL databases, all user input needs to be encoded to prevent injection attacks. However, my understanding is that with MongoDB we need to be more worried about XSS attacks, so does user input need to be encoded on the server before being stored in mongo? Or, is it enough to simply encode the string immediately before it is displayed on the client side using a template library like handlebars?

Here's the flow I'm talking about:

  1. On the client side, user updates their name to "<script>alert('hi');</script>".
    • Does this need to be escaped to "&lt;script&gt;alert(&#x27;hi&#x27;);&lt;&#x2F;script&gt;" before sending it to the server?
  2. The updated string is passed to the server in a JSON document via an ajax request.
  3. The server stores the string in mongodb under "user.name".
    • Does the server need to escape the string in the same way just to be safe? Would it have to first un-escape the string before fully escaping so as to not double up on the '&'?
  4. Later, user info is requested by client, and the name string is sent in JSON ajax response.
  5. Immediately before display, user name is encoded using something like _.escape(name).

Would this flow display the correct information and be safe from XSS attacks? What about about unicode characters like Chinese characters?

This also could change how text search would need to be done, as the search term may need to be encoded before starting the search if all user text is encoded.

Thanks a lot!

like image 351
Ethan Avatar asked Mar 10 '14 22:03

Ethan

People also ask

In which format data is stored in MongoDB?

MongoDB stores data in BSON format both internally, and over the network, but that doesn't mean you can't think of MongoDB as a JSON database.

How does MongoDB store JSON data?

MongoDB uses BSON to store data. While JSON and BSON have slight differences such as availability of data types and readability, they can easily be converted into each other. The process to import JSON into MongoDB depends on the operating system and the programming language you are using.

Which of the following format is supported by MongoDB?

Explanation: MongoDB supports JSON format compared to XML.

1 Answers

Does this need to be escaped to "&lt;script&gt;alert(&#x27;hi&#x27;);&lt;&#x2F;script&gt;" before sending it to the server?

No, it has to be escaped like that just before it ends up in an HTML page - step (5) above.

The right type of escaping has to be applied when text is injected into a new surrounding context. That means you HTML-encode data at the moment you include it in an HTML page. Ideally you are using a modern templating system that will do that escaping for you automatically.

(Similarly if you include data in a JavaScript string literal in a <script> block, you have to JS-encode it; if you include data in in a stylesheet rule you have to CSS-encode it, and so on. If we were using SQL queries with data injected into their strings then we would need to do SQL-escaping, but luckily Mongo queries are typically done with JavaScript objects rather than a string language, so there is no escaping to worry about.)

The database is not an HTML context so HTML-encoding input data on the way to the database is not the right thing to do.

(There are also other sources of XSS than injections, most commonly unsafe URL schemes.)

like image 177
bobince Avatar answered Sep 19 '22 12:09

bobince
Sign in to Comment

Related questions

Jquery Collapse and expand plugin for bootstrap
Download file to downloads folder ios/android using phonegap
Understanding the structure of underscore.js code
Input event triggered on Internet Explorer when placeholder changed
Paypal with angularjs $http.post request
Use javascript to update a json file
AngularJS How to prevent duplicated http requests?
Reliable technique for tracking invitations to mobile installations
How to use Chrome Extension functions (NaCl) in my website?
chrome.runtime is undefined when extension installed from chrome store
Pubnub receiving duplicate messages
Jquery on Input not working on dynamically inserted value
how to open default_popup on contextmenu item click in chrome extension
event.currentTarget.innerHTML is empty in IE10 after view is re-rendered
SyntaxError: JSON Parse error: Unexpected EOF
nth-child not working on dynamically generated DOM
How to create valid preloader with jQuery, which can preload mp3 file to browser cache?
How can "undefined is not a function" errors be made more useful?
Audio manipulation using node.js
Is it okay to save to the browser localstorage 25 times per second?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!