what to validate when saving user ckeditor html data into a database_问答_开发者

what to validate when saving user ckeditor html data into a database

开发者 https://www.devze.com 2023-03-26 17:22 出处：网络

i have a textarea and I am using ckeditor to allow users to enter data and click upload.This will save the html of this data to a mysql database table to display on a separate web page

i have a textarea and I am using ckeditor to allow users to enter data and click upload. This will save the html of this data to a mysql database table to display on a separate web page

What do i need to worry about in terms of what people are posting. Do i need to add any validation on the front end or back end to ensure that they are not posting dangerous scripts, etc . .

What is the easiest way to validate that what is being p开发者_开发知识库osted is fine to store and put back to the client to display later.

Do i need to add any validation on the front end or back end to ensure that they are not posting dangerous scripts, etc

No, you shouldn't worry about this. As far as you use parametrized queries in order to store data to avoid SQL injection a relational database doesn't care much about what kind of text you are throwing at it.

Problems might arise when you try to display this data back on a web page. It is at this moment that you should ensure that it is properly HTML encoded.

For razor:

@...

For WebForms (ASP.NET 4.0)

<%: ...

For WebForms (prior to ASP.NET 4.0)

<%= Html.Encode(...

Or for all of the above:

Html.DisplayFor(x => x.SomePropertyOftheViewModel)

What is the easiest way to validate that what is being posted is fine to store and put back to the client to display later.

Parametrized queries to store data (only if you are using a relational database) and HTML encode to display back.

You might also find the following blog post useful about the Microsoft Anti-Xss library.

as far as I know ckeditor do not supply any build in xss protection (you should always verify such things on server side). In addition to Darin Dimitrov answer I can say that in my recent project I need to display user input as html, and do not encode it. If you face similar situation (and you almost definitelly are - usually there is no point of using ckeditor and ignore format) - look at: http://refactormycode.com/codes/333-sanitize-html If this is your case - just sanitize html using Sanitize method from the post and then you can display it as it is.