0

I made a form site with nodejs.But i dont know -Which characters(from textarea) should i allow for users's comments?For exapmle / " ' () {} . , ; : ! ?(punctuation marks) i want to allow this characters.These characters are a problem for security?I use mongodb for database.Like stackoverflow comment area.We can add all characters in our comments and they saved. 

<form action="/comment" method="post" enctype="" id="myForm" onsubmit="myFunction()">
<textarea></textarea>
</form>
ŞükSefHam
  • 167
  • 1
  • 10
  • Any input in your HTML form is a potential problem for security. What you need to do is configure strategies to avoid Injection Attacks. This post explains some kind of Attacks [What are Injection Attacks?](https://www.acunetix.com/blog/articles/injection-attacks/) – Ele Jan 27 '18 at 17:57
  • look at @iamcaleberic answer. – ŞükSefHam Jan 27 '18 at 17:59
  • You should not "allow" or "disallow" any characters. You should simply properly escape user data when putting it in HTML. Please show us the code that receives and processes the POST request, not the form markup. – Bergi Jan 27 '18 at 18:00
  • The answer from **iamcaleberic** it's not a good one. – Ele Jan 27 '18 at 18:06
  • @bergi for example i allow only number or alphabet characters`req.body.ad.replace(/[^a-zA-Z şıöüğçİŞÖĞÜÇ]+/g,"")`i use this for user's nick or name but i want to learn->Should i allow the punctuation marks?Or how can i save these characters in database(like stackoverflow)? – ŞükSefHam Jan 27 '18 at 18:17
  • @ŞükranEken Yes, you should allow them, and the Turkish alphabet is by no means the only viable alphabet. On how to save them in your database (and stackoverflow is not a database), you have to read your database's documentation. Or at least tell us which database system you are using. – Bergi Jan 27 '18 at 18:25
  • I use mongodb for database.And (I did not say-stackoverflow is a database) – ŞükSefHam Jan 27 '18 at 18:28
  • My question is ->how can i allow all characters from textarea?Like stackoverflow comment area.We can add all characters in our comments and its saved. – ŞükSefHam Jan 27 '18 at 20:40

2 Answers2

0

What you need to do is allow everthing but save it and process it securely. More specifically protect from SQL Injection and etc.

From Michael Pratt's answer

The node-mysql library automatically performs escaping when used as you are already doing. See https://github.com/felixge/node-mysql#escaping-query-values

Yusuf Kandemir
  • 810
  • 7
  • 16
-1

While there is various attacks possible text inputed into an input/textarea will be handled as normal text characters although you can make sure any user input added is escaped otherwise and in the most part will not have impact on your security.

You might take precautions like ensuring your site handles encrypted traffic to mitigate against the most common types of attacks.

iamcaleberic
  • 913
  • 8
  • 12
  • if i use input? – ŞükSefHam Jan 27 '18 at 17:58
  • @ŞükranEken So to explain it further when a user adds input as I am adding to this form you have already a predetermined path for it I enter the text ,its processed and saved into the database. There`s various kinds of attacks that might affect you data in transit but less likely thank not if your site is encrypted any data entered should follow the predetermined path. – iamcaleberic Jan 27 '18 at 18:01
  • 1
    In order to avoid SQL Injection attacks, you should always escape any user provided data before using it inside a SQL query. – iamcaleberic Jan 27 '18 at 18:09