Saving property with HTML - encode on entry, or on display? -


i have system allows users enter html-reserved characters text area, post application. information saved database later retrieval , display. alarms (should be) going off in head. need make sure avoid xss attacks, because display data somewhere else in application. here options see it:

encode before save db

i can html-encode data on way in database, no html characters ever entered in database.

pros:

  • developers don't have remember html encode data when displayed on web page.

cons:

  • the data doesn't make sense desktop-based applications (or other html). stuff shows < > & etc.

don't html encode before saving db

i can html encode data whenever need display on web page.

pros:

  • feels right because keeps integrity of data entered user.
  • allows non-html based applications display data without having worry html encoding.

cons:

  • we might display data in lot of places, , we'll have make sure every developer knows when display field, you'll need html encode it.
  • people forget things. there @ least once instance when forget html encode data.

scrub data before saving db (don't html encode)

i can use well-tested third party library remove potentially dangerous html , safe html fragment save database, not html encoded.

pros:

  • preserves of original input display in non-html format makes sense.
  • less catastrophic if developer forgets html encode information display on web page.

cons:

  • still messes data user entered it. if want type <script> or <object> tag, won't make it, , we'll support calls , emails because of that.

my question is: best option, or if there way of going this, it?

the right thing not mangle/change user input.

so, do not encode before saving.

yes, puts onus on developers remember , know need encode coming out of db, practice regardless.


Comments

Post a Comment

Popular posts from this blog

asp.net - repeatedly call AddImageUrl(url) to assemble pdf document -

i'm using abcpdf , i'm curious if can recursively call addimageurl() function assemble pdf document compile multiple urls? something like: int pagecount = 0; int theid = thedoc.addimageurl("http://stackoverflow.com/search?q=abcpdf+footer+page+x+out+of+", true, 0, true); //assemble document while (thedoc.chainable(theid)) { thedoc.page = thedoc.addpage(); theid = thedoc.addimagetochain(theid); } pagecount = thedoc.pagecount; console.writeline("1 document page count:" + pagecount); //flatten document (int = 1; <= pagecount; i++) { thedoc.pagenumber = i; thedoc.flatten(); } //now try again theid = thedoc.addimageurl("http://stackoverflow.com/questions/1980890/pdf-report-generation", true, 0, true); //assemble document while (thedoc.chainable(theid)) { thedoc.page = thedoc.addpage(); theid = thedoc.addimagetoc
Read more

java - Android recognize cell phone with keyboard or not? -

in android app, want detect user's device if device has keyboard(like motorola milestone) , show corresponding user interface. guys know how that? ! regards justicepenny http://developer.android.com/reference/android/content/res/configuration.html public int keyboard the kind of keyboard attached device. 1 of: keyboard_nokeys, keyboard_qwerty, keyboard_12key. that's it!
Read more

iphone - How would you achieve a LED Scrolling effect? -

how achieve led scrolling effect example below? led sign - led ticker emulator iphone , ipad http://img.skitch.com/20101201-rsfh4p1bajb1wp94k466pdpiuj.preview.jpg sometimes remunerates comment in other posts :) have put code you, should implement font '8pin matrix' realistic feeling. uilabel *label; - (void)viewdidload { [super viewdidload]; label = [[uilabel alloc]initwithframe:cgrectmake(10, 50, 300, 20)]; label.font = [uifont fontwithname:@"courier-bold" size:16.0]; label.backgroundcolor = [uicolor blackcolor]; label.textcolor = [uicolor greencolor]; label.linebreakmode = uilinebreakmodecharacterwrap; // otherwise "…" label.text = @"this led text scrolled "; // blanks space between [self.view addsubview:label]; [nstimer scheduledtimerwithtimeinterval:0.12f target:self selector:@selector(scrolllabel) use
Read more