javascript - Encoding user input to be stored in MongoDB -


i'm trying determine best practices storing , displaying user input in mongodb. obviously, in sql databases, user input needs encoded prevent injection attacks. however, understanding mongodb need more worried xss attacks, user input need encoded on server before being stored in mongo? or, enough encode string before displayed on client side using template library handlebars?

here's flow i'm talking about:

  1. on client side, user updates name "<script>alert('hi');</script>".
    • does need escaped "&lt;script&gt;alert(&#x27;hi&#x27;);&lt;&#x2f;script&gt;" before sending server?
  2. the updated string passed server in json document via ajax request.
  3. the server stores string in mongodb under "user.name".
    • does server need escape string in same way safe? have first un-escape string before escaping not double on '&'?
  4. later, user info requested client, , name string sent in json ajax response.
  5. immediately before display, user name encoded using _.escape(name).

would flow display correct information , safe xss attacks? about unicode characters chinese characters?

this change how text search need done, search term may need encoded before starting search if user text encoded.

thanks lot!

does need escaped "&lt;script&gt;alert(&#x27;hi&#x27;);&lt;&#x2f;script&gt;" before sending server?

no, has escaped before ends in html page - step (5) above.

the right type of escaping has applied when text injected new surrounding context. means html-encode data @ moment include in html page. ideally using modern templating system escaping automatically.

(similarly if include data in javascript string literal in <script> block, have js-encode it; if include data in in stylesheet rule have css-encode it, , on. if using sql queries data injected strings need sql-escaping, luckily mongo queries typically done javascript objects rather string language, there no escaping worry about.)

the database not html context html-encoding input data on way database not right thing do.

(there other sources of xss injections, commonly unsafe url schemes.)


Comments

Post a Comment

Popular posts from this blog

php - SPIP: From Tag directly to an article -

i work spip , plugin called tagsphere works fine tags in spip. have tag groupe put 1 article tag. when click on tag in tagsphere send me before menu can see articles linked tag. want send me directly article without see tag menu before. here code model of thagsphere: <div id="tagsphere-#env{id_article}"> <ul> <boucle_mot(mots){id_groupe ?}> <li>[<a href="#url_mot">(#titre)</a>]</li> </boucle_mot> </ul> </div> anybody idea? if want skip tag page, have link directly article. <b_article> block prevents display tag if no article linked. <div id="tagsphere-#env{id_article}"> <ul> <boucle_mot(mots){id_groupe ?}> <b_article> <li> <a<boucle_article(articles){...
Read more

jquery - isAjaxRequest always return false -

i got error message 404,'model has not been saved' following code my action controller public function actionextend($id) { $model=$this->loadmodel($id); if(yii::app()->request->isajaxrequest) { $model->todate = date('y-m-d h:i:s a',(strtotime('next month',strtotime(date('y-01-d'))))); if($model->save()) { yii::app()->end(); } else { throw new chttpexception(404,'model has not been saved'); } } } the jquery call $("#buttonextend<?php echo $this->post_row;?>").click(function(e){ $.ajax({ type: "post", url: "<?php echo yii::app()->createurl('post/extend', array('id' => $data['id'])); ?>", }); }); why not ajax call ? thank help i found response, missed } , function ...
Read more

ruby on rails - In a controller spec, how to find a specific tag in the generated view? -

i know integration tests preferred need ran in controller test, i'm testing gem injecting html code in view, xhr can't run in feature spec (if can, please explain me how :) ) so rspec controller tests can assert selector present (with capybara) : response.body.should have_selector('#foobar') has_selector? call all method capybara find selector. what want last child of body , assert id in particular. afaik it's not possible have_selector. what : all('body:first-child').first.id.should == '#foobar' however, capybara dsl, defined (more or less): def all(*args) page.all(*args) end and page empty unless use visit it's integrations specs. how can use capybara all method inside rspec controller test ? i can't test right after googling seems trick def page capybara::node::simple.new(response.body) end source
Read more