Data sanitization and DB storage

Question

If I have the following data, what is the best option in terms of Database storage.

Here is text<br><br>Here is some more text

I see that I have 3 options:

• Store in DB as it is then decode at runtime: <p>hello</p>
• Decode and then store in DB: <p>hello</p>
• Strip tags completely: Hello

Are there any big "No No's" with any of the above, just looking for some advice on best practice. Also worth noting that I will have absolutely no control over the data that I receive.

Answer 1

Convert the data to canonical form, and store that. That is, you should store <p>Hello</p> or Here is text<br><br>Here is some more text (though I doubt that's the decoding you intended for your example).

Then, you can search without having to worry about how it was encoded (Ö, Ö or Ö, for example?), and just encode it to whatever format is appropriate for display on rendering.

Answer 2

Depending on your requirement, I suggest to either strip the tags or store the unencoded version.

If you don't need the tags, the you can strip them and store the plain text.

If you need to preserve the tags and the formatting, then it's easier to save the unencoded version. Dealing with real tags it's much simpler. Also, it's a view responsibility to encode the output. In fact, it strictly depends on where you are going to print the string.

In the console, for example, tags doesn't create any issue. It's just when you need to print the string into an HTML view. But fortunately Rails takes care of output sanitization for you, so you don't need to store the sanitized version in the database.