Reputation: 2159
Safe to allow users to save HTML to the database?
I have a site that my customers can use to allow their customers to register online (this is for daycare registrations). So I provide this online registration form and allow my customers to customize the "thank you" message that is displayed after the registration is complete.
Is it safe to allow my customers to use HTML to format their thank you message? I know this would allow them to also generate javascript but should I care about that?
Upvotes: 0
Views: 638
Answers (2)
Reputation: 174987
Yes, you most certainly should care.
<img src="http://evil.com/evilScript.js">
on their thank you message, I'll leave what could be on evilScript.js to your imagination.
My suggestion, use Markdown as a format, and parse it to HTML when you need it (in the View).
Upvotes: 3
Reputation: 101614
Yes, it's safe--as long as you sanitize it to some degree. A great example is to use strip_tags and only allow things like <h1>, <h2>, <b>, <u> etc. tags but avoid <script>, <object> and other dangerous tags.
I know I'm referencing a PHP method, but a lot of languages have this kind of functionality to cleanse user input. Take it at face-value and not making this a PHP-specific answer.
Upvotes: 1
Related Questions
- Database for Content - OK to store HTML?
- Security when storing user provided javascript code from web page forms into db
- Secure data in JavaScript
- Is it safe to save user created javascript in database?
- Saving JS data into the DB in a secure way
- Is it a bad idea to store html in a DB so that users can edit it?
- Safe way to save html to database
- Regarding the security of javascript for submitting proper data to servers
- Editing and Saving user HTML with Javascript - how safe is it?
- Avoiding XSS attacks when storing HTML