I have a system which allows users to enter HTML-reserved characters into a text area, then post that to my application. That information is then saved to a database for later retrieval and display. Alarms are (should be) going off in your head. I need to make sure that I avoid XSS attacks, because I will display this data somewhere else in the application. Here are my options as I see it:
I can HTML-encode the data on the way in to the database, so no HTML characters ever are entered in the database.
< > &
etc.I can HTML encode the data whenever I need to display it on a web page.
I can use a well-tested third party library to remove potentially dangerous HTML and get a safe HTML fragment to save the database, not HTML encoded.
<script>
or <object>
tag, it won't make it, and we'll get support calls and emails because of that.My question is: What is the best option, or if there is another way of going about this, what is it?
The right thing to do is not mangle/change user input.
So, do not encode before saving.
Yes, this puts the onus on the developers to remember and know that they need to encode anything coming out of the DB, but this is good practice regardless.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With