-1

I want to use markdown to save the data securely instead of json.stringfy() method.Like this exapmle:usercomment is <script>alert('ss')</script>

app.get('/comment',function(req.res){
var usercomment=req.body.comment;//from comment textarea(user's comment)
const x=markdown.toHTML(usercomment);
var comments=new comment({user:req.session.nick,comment:x});
comments.save();
console.log(x)

}

Or use json.stringify() like this I save the usercomment with json.stringify().Later i will send the comment(from database) to html with markdown.toHTML(comment):

app.get('/comment',function(req.res){
var usercomment=req.body.comment;
    const x=JSON.stringify(usercomment);
    var comments=new comment({user:req.session.nick,comment:x});
    comments.save();
    console.log(x)

    }
Which one should I use?
ŞükSefHam
  • 167
  • 1
  • 10
  • 1
    what's in `usercomment`? Also, neither of the two snippets converts *to* markdown - please clarify – giorgiga Feb 07 '18 at 14:04
  • It's not clear what sort of "security" we're talking about here. – Pointy Feb 07 '18 at 14:04
  • 1
    if your concern is security you should have a look at escape functions instead. Also take a look at this question: https://stackoverflow.com/questions/6234773/can-i-escape-html-special-chars-in-javascript – Apolo Feb 07 '18 at 14:06
  • @pointy sould I say -what sort of "security"?json.stringify() -**When sending data to a web server, the data has to be a string.** – ŞükSefHam Feb 07 '18 at 14:16
  • In this site most users look at questions only -How to ask?-.If question is not clear press **-** vote-Yes i understand this.But now my question is very very very clear.So you must answer my question(for negative voters) or you look only -How to ask?-. – ŞükSefHam Feb 07 '18 at 14:38
  • ddddd – ŞükSefHam Feb 17 '18 at 00:50
  • [test](javascript://%0d%0aprompt(1)) – ŞükSefHam Feb 20 '18 at 19:17

1 Answers1

2

JSON and Markdown do not give you security

Neither of the things you mention will magically give you security. To handle dangerous user input, you need to sanitize the input.

A quick search on NPM gives me sanitize-html, which seems like it would be good for this purpose.

const sanitizeHtml = require('sanitize-html');
app.post('/comment', function(req, res){
    let usercomment = req.body.comment;
    let safe_comment = sanitizeHtml(usercomment);
    let comments = new comment({
        user: req.session.nick,
        comment:safe_comment,
    });
    comments.save();
    res.send('saved');
}

If you don't want to allow your users to use any HTML, you can escape the user comment so that their input does not act like HTML. (htmlencode seems good for this purpose)

const htmlencode = require('htmlencode');
app.post('/comment', function(req, res){
    let usercomment = req.body.comment;
    let safe_comment = htmlencode.htmlEncode(usercomment);
    let comments = new comment({
        user: req.session.nick,
        comment:safe_comment,
    });
    comments.save();
    res.send('saved');
}
JoshWillik
  • 2,624
  • 21
  • 38
  • @ŞükranEken Markdown does not automatically escape HTML like that. However, sites like GitHub have implemented their own HTML sanitizer (see [GitHub's](https://github.com/github/markup#github-markup) for example) which runs after the Markdown is converted to HTML. Those sanitizers will escape ` – Waylan Feb 08 '18 at 21:28
  • 1
    For more information about making Markdown "secure" I suggest reading [Markdown and XSS](https://michelf.ca/blog/2010/markdown-and-xss/). – Waylan Feb 08 '18 at 21:30