Storing HTML in a database. Is it safe?

[daamsie]

Ok, I've been looking all over the net trying to find some good advice on this. I'm working on a blog type application and I want my users to be able to format their text as they see fit. I have a nice little WYSIWYG textarea replacement, but I have a little question I need to have answered first.

Will allowing HTML into the dabase be a security risk?

Should I encode the HTML before hand perhaps? Or should I just be sure to validate the input to make sure only a limited set of safe tags is allowed (ie. <b> <ul>, etc.)

I notice a lot of forums using their own brand of fake HTML code (this one included), but it doesn't seem quite right to create more coding languages when there is already one suited. Is there a compeling reason to do so though??

Finally, are there any characters that should absolutely never be allowed into a database?? I currently disallow my forum users the use of a few 'illegal' characters that I have read are dangerous, but sometimes those users get a little annoyed they can't use them.

Thanks for your help!

 

[TruthInSatire]

The only problem I've come accros in storing HTML in a database is this

1) if you have them enter something small in a text box (input type = "text" value = "">) and put it back in the text box for them to edit, if they have quotes in the string it will cause only the part prior to the first quote.

for example if a user enters (She said "yeah ok, whatever")
the only part that will show up in the text box is (She said ) because the first quote in the text will make the tag think the value is now over. The rest will show up in the source if you do a view source, it's just not going to show up in the text box.

2. If you use a text area your users can't add a </textArea> if you present it to be edited. Everything will displayed after the closing text area tag and the REAL text area tag will be ignored.

<textArea>This is some text what do you think?<br>
<textArea></textArea> Thank you for your comment</textArea>

That will cause a problem as for security... I don't think so. it's just markup, it can't DO anything to cause a security risk.

Human beings, who are almost unique in having the ability to learn from the experience of others, are also remarkable for their apparent disinclination to do so.
-Douglas Adams (1952-2001)

 

[imstillatwork]

besides that, the only problem i have with doing that is it can really be a conflict of interests. Databases are for data, html is for display. There is almost always a better way to do it, beside putting html in a database.

 

[daamsie]

Hi Imstillatwork,

Any ideas what might be a better way to do this then? I basically want to allow my users the ability to specify the markup for each of their blog entries. Any suggestions are welcome - I can still easily change things at this stage.

 

[TruthInSatire]

to quote google
"define data"

Data can be defined in many ways. Information science defines data as unprocessed information. Data is converted into information, and information is converted into knowledge. For the purposes of Enterprise, data is a small unit of information, i.e. a learner's name or an exam mark.

a collection of facts from which conclusions may be drawn; "statistical data"

Numerical or other information represented in a form suitable for processing by computer; "Computer Science"


HTML is the data (Information) needed to display a webpage. It's nothing more than text.
In fact there is more "Data" in a line of HTML than there is in something like the example of "information" listed below:

| Name |
----------
| Travis |
| Bob |
| Joe |

It's all about how you want to define "Data"

Human beings, who are almost unique in having the ability to learn from the experience of others, are also remarkable for their apparent disinclination to do so.
-Douglas Adams (1952-2001)