To proper escape code...

[zid]

Hi, have a question.

Creating a site where I can post content and users can comment on them.

If want to create a post that contains <code> or <pre> to display some code for users that the css file identifies and adds some nice colors to it. How can I make sure that the content is handled in a securely fashion?

 

shall I use strip_tags(); / htmlentities(); / htmlspecialchars(); when inserting to the database? or shall things be stored in the database with the <code> tags and taken care of when it comes to presenting/displaying the information for the users?

 

The same goes for users who wants to comment on some script or whatever, I wanna make sure that <code> does get presented correctly and that <script>alert('hacked');</script> for example does not execute.

 

How can I accomplish this?

 

[Psycho]

You would, of course, escape content before inserting it into the database to prevent SQL Injection using the proper method for the database engine you are uisng (e.g. mysqli_real_escape_string() or prepared statements). However, some people would also escape the content for use on a web page [e.g. htmlentities()]. I think that is the wrong approach.

 

It makes it easier since you don't have to think about it so much when you pull data from the database to display on your page, but you will lose fidelity. Once you escape content you can not with certainty) revert it back to its original state. I believe you should only escape content using the appropriate method at the time that you will use it. Otherwise, keep the content in it's original format. For example, if you were to run the content through htmlentities() before storing the in the database and later decided you wanted a way to output the data to a text file you would end up with something much different than was intended.

 

So, I would store the content exactly as it is entered (escaping for the database, of course). Then, when building the page I would use htmlentities() or htmlspecialchars() on any of that content to ensure it doesn't get rendered as actual HTML code.

Edited May 1, 2014 by Psycho

[zid]

Hi, I use PDO and prepared statements, would it be safe then to store it in the database?

[Jacques1]

Hi,

 

those are two entirely different problems.

 

Prepared statements protect the queries against SQL injections (when used correctly), but they don't do anything about cross-site scripting. That's not their job.

 

The risk of people injecting JavaScript code must be dealt with separately. Unfortunately, you can't just escape everything, because you said you want to have syntax highlighting through <code> elements. This is much more complicated and risky. I strongly recommend that you do not try to implement this on your own but rather use an established library which takes care of the security. The first library I found with a quick search was GeSHi, but I haven't looked into its security yet.

 

 

[Strider64]

I use GeSHi and like it a lot, I feel it's pretty secure. You don't have to store anything in the database thus nothing to worry about security when it comes to that portion of the code.  I tried writing my own highlight script and found it was a pain in the butt, plus I don't have worry about security for that portion like I said.

Edited May 1, 2014 by Strider64

[zid]

Hi again guys, so with this GeSHi I should or should not use the special chars or whatever when users are inputing code? Somehow the HTML must identify what is code on the output?

 

Or should I just let users post <code>This is a test</code> into the database and GeSHi secures the output?