Jump to content

To proper escape code...


zid

Recommended Posts

Hi, have a question.

Creating a site where I can post content and users can comment on them.

If want to create a post that contains <code> or <pre> to display some code for users that the css file identifies and adds some nice colors to it. How can I make sure that the content is handled in a securely fashion?

 

shall I use strip_tags(); / htmlentities(); / htmlspecialchars(); when inserting to the database? or shall things be stored in the database with the <code> tags and taken care of when it comes to presenting/displaying the information for the users?

 

The same goes for users who wants to comment on some script or whatever, I wanna make sure that <code> does get presented correctly and that <script>alert('hacked');</script> for example does not execute.

 

How can I accomplish this?

 

Link to comment
Share on other sites

You would, of course, escape content before inserting it into the database to prevent SQL Injection using the proper method for the database engine you are uisng (e.g. mysqli_real_escape_string() or prepared statements). However, some people would also escape the content for use on a web page [e.g. htmlentities()]. I think that is the wrong approach.

 

It makes it easier since you don't have to think about it so much when you pull data from the database to display on your page, but you will lose fidelity. Once you escape content you can not with certainty) revert it back to its original state. I believe you should only escape content using the appropriate method at the time that you will use it. Otherwise, keep the content in it's original format. For example, if you were to run the content through htmlentities() before storing the in the database and later decided you wanted a way to output the data to a text file you would end up with something much different than was intended.

 

So, I would store the content exactly as it is entered (escaping for the database, of course). Then, when building the page I would use htmlentities() or htmlspecialchars() on any of that content to ensure it doesn't get rendered as actual HTML code.

Edited by Psycho
Link to comment
Share on other sites

Hi,

 

those are two entirely different problems.

 

Prepared statements protect the queries against SQL injections (when used correctly), but they don't do anything about cross-site scripting. That's not their job.

 

The risk of people injecting JavaScript code must be dealt with separately. Unfortunately, you can't just escape everything, because you said you want to have syntax highlighting through <code> elements. This is much more complicated and risky. I strongly recommend that you do not try to implement this on your own but rather use an established library which takes care of the security. The first library I found with a quick search was GeSHi, but I haven't looked into its security yet.

 

 

Link to comment
Share on other sites

I use GeSHi and like it a lot, I feel it's pretty secure. You don't have to store anything in the database thus nothing to worry about security when it comes to that portion of the code.  I tried writing my own highlight script and found it was a pain in the butt, plus I don't have worry about security for that portion like I said.

Edited by Strider64
Link to comment
Share on other sites

Hi again guys, so with this GeSHi I should or should not use the special chars or whatever when users are inputing code? Somehow the HTML must identify what is code on the output?

 

Or should I just let users post <code>This is a test</code> into the database and GeSHi secures the output?

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.