1

I am reading Html from webpage inside div content using jquery

HTML Code

<div id="content">
Html Code
</div>

Jquery Code

 var htmlContent = $("#content").html();

and saving it directly into database using Ajax Request. But if somebody inject the Html or Javascript code into the Html Content of the page, that is also getting saved into database.

When next time html is loaded on page it is infected with XSS attack. Is there any way I can prevent XSS attack..

Abhishek Khatter
  • 65
  • 7
  • 1
    Why are you doing this? I thought it was bad enough to store hard coded HTML on database. The best and most secure way is to not do it. If you post what your trying to achieve maybe a better approach can be given. – ste2425 Jun 22 '16 at 05:31
  • @ste2425 I am creating template for mail dynamically using drag and drop approach. So I am dropping the Html into the div and then user can add his text into that html or can add Image and then on final Save I am saving it into database. – Abhishek Khatter Jun 22 '16 at 05:43
  • This could also be a good question to move to security.stackexchange.com – dnozay Jun 22 '16 at 05:53

4 Answers4

2

ideally, you will have a datamodel of the html that is being stored, and you will store that model in a format such as json. that json can be used to re-construct the html.

In that json model, you will only include content that is considered safe.

Now, if you still need to store html code in the database and inject it back into a page later, then the only safe option you have is to scour that html on the server, compare its contents with a whitelist of allowed content, and delete whatever is not in your whitelist.

see this post

Community
  • 1
  • 1
CodeToad
  • 4,656
  • 6
  • 41
  • 53
0

The OWASP has a page dedicated to XSS prevention:

https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet

some measures include

  • entity encoding
  • html validation
  • url encoding
  • sanitization (whitelist based)
  • ...

There is also this point mentioned in the question:

[...] and saving it directly into database using Ajax Request.

No matter what you do client-side, an attacker can send traffic directly to the endpoint; so don't forget server-side validation.

dnozay
  • 23,846
  • 6
  • 82
  • 104
0

A few tips:

  • Use proper encoding, make sure no SQL injection can take place
  • Provide client-and server side validation
  • Sanitize the html before pushing it into the database stripping off all scripts (see wikipedia link)
  • Use CSP Headers to avoid inline script execution when displaying the html (see Content Security Policy)

With these measures you'll be a lot more secure against possible xss attacks.

Yoeri
  • 1,876
  • 15
  • 24
0

HTML in the database should not be a problem - the database server will not execute script stored within data tables.

The problem, as you state, if this is output in raw form to an HTML page.

You should HTML encode in order to prevent XSS - do this on output.

To make this simple use the OWASP XSS Experimental Minimal Encoding Rules.

Many languages already provide HTML encoding functions to do the above - remember, apply these on output and only within an HTML context (i.e. not script, CSS or comments).

If you need to use dynamic values in script, see this answer.

Community
  • 1
  • 1
SilverlightFox
  • 32,436
  • 11
  • 76
  • 145
  • but what if the requirement is to render the stored html in the browser. Encoding at the point of output will not render html, but will simply display the html as it is. I have the same question https://stackoverflow.com/questions/75689273/how-to-safely-store-html-and-js-in-the-database – LP13 Mar 09 '23 at 22:51