1

I have searched StackOverflow for an answer to this question, and I've been surprised to find very little information for what seems to be a very common task

Let's say I have an app that allows users to make posts. These posts can contain text, of course, but I also want the users to be able to insert images, and possibly videos.

So here's the dilemma. The first idea that comes to mind for storing these posts would be making a table like this:

CREATE TABLE posts(id INTEGER PRIMARY KEY AUTO_INCREMENT, owner VARCHAR(36) NOT NULL, message VARCHAR(MAX), _timestamp TIMESTAMP DEFAULT CURRENT_TIMESTAMP);


  • id is an identifier for the post itself.
  • owner is an identifier for the person who created the post.
  • message contains the message, as text.
  • _timestamp represents the time created.

However, since SQL wasn't really made for storing images and other files, the images are being stored off-database. For sake of example, let's say they're stored using a product similar to Google Cloud Storage.

So, the question is, how should the message be formatted in such a way that they contain data (for example, a link) that would point to the images, without having to do too much work on the frontend code? (And without letting the user know that they're doing anything other than inserting an image).

From experience with GitHub and StackOverflow, Markdown is obviously nice, but not as user-friendly as I'd want, and doesn't work with images exactly the way I want.

I've thought about using HTML to format the message, but that brings up to main problems:

  1. How should I store HTML in such a way that prevents XSS (Cross-site Scripting)? Should I just escape everything in such a way that it can still be read as HTML on the frontend?
  2. Let's say this app is a mobile app. This means I would either have to make my own HTML parser or find an existing library for it.

So what is the best practice for this?

I see this type of functionality all the time, so what are those people (such as Facebook, Google, etc.) using?

Not only have I encountered this problem, but I feel like there should be a good answer for this on StackOverflow for others who encounter this problem.

Specifically, I want to know whether HTML is a good option, or if I should consider something else. As far as right now, I'm planning to use plain HTML, and make public URIs for Cloud Storage objects

Caleb H.
  • 1,657
  • 1
  • 10
  • 31
  • What type of DBMS? If SQL Server, don't use `TEXT` datatype. It's deprecated. – Shawn May 06 '19 at 19:59
  • In my case it's MySQL, and last I heard `TEXT` wasn't deprecated in MySQL, however I'll edit for generalization purposes. But that really doesn't help answer the question at all... – Caleb H. May 06 '19 at 20:02
  • https://stackoverflow.com/questions/6472233/can-i-store-images-in-mysql/6472268#6472268 – Shawn May 06 '19 at 20:10
  • https://www.google.com/search?q=mysql+store+images – Shawn May 06 '19 at 20:14
  • Yes, as I said in the question, I am aware that storing images directly in the database is not a good idea. Hence, storing the images separately, such as in Cloud Storage. – Caleb H. May 06 '19 at 20:15
  • https://www.owasp.org/index.php/Unrestricted_File_Upload – Shawn May 06 '19 at 20:31
  • What exactly are you trying to say? That's a basic backend issue. This is easy to fix with a bit of backend code, and this question is not about the actual code for verifying and storing the data. – Caleb H. May 06 '19 at 20:36
  • You asked for some best practices for storing user-supplied files. Accepting and handling any user data isn't just a back-end issue. It's something that the entire application should handle at every step. And unfortunately, it's not always as easy as just some back-end code. That's pretty much the entire point of all of the OWASP Cheatsheets. There are a bazillion ways for a bad actor to exploit your system, and the OWASP pages attempt to show developers how to handle them as safely as they can. User input (especially multimedia) can make for a very long weekend at the office. – Shawn May 06 '19 at 20:48
  • I updated the question a bit ago with a more specific answer. As for web app security, that's not the topic of this question. And from my experience (and my common sense), there is absolutely nothing you can do on the frontend to secure your web app, because it can theoretically all be changed. That's the whole purpose of the backend... – Caleb H. May 06 '19 at 21:14
  • Let us [continue this discussion in chat](https://chat.stackoverflow.com/rooms/192928/discussion-between-caleb-h-and-shawn). – Caleb H. May 06 '19 at 21:14

1 Answers1

2

Not speaking about specific implementation I would say you never want to insert the image/video data into the post.

These should always be either an attachment or a link.

So either you let the user to insert links into the post or you let them add attachments which are then uploaded to the server and link to them is placed into the post.

Let's say you have a situation where a user drops the image/video/audio/whatever data into the post. In that case you would fire an event that uploads the data to your storage and places the link into the post when it's done. That's what happens when you CTRL-C CTRL-V an image into GitHub message for example.

Regarding XSS, you should strip the inserted data off any javascript and stuff that you don't like and you should be fine. There are many libraries that can do this for you.

dfx413
  • 58
  • 5
  • This isn't quite as specific of an answer as I was looking for, but I may mark it as correct. As I said in the question, I already know it's not great to store the images in the database itself. Your fourth and fifth paragraphs, however, are more helpful – Caleb H. May 06 '19 at 20:22
  • Yeah, I wasn't going to give you a specific code example, sorry if that's what you were looking for. Glad to be at least a bit helpful, though. – dfx413 May 06 '19 at 20:26
  • 1
    No, I wasn't expecting anything as specific as a code example. I updated my question to give a little better of an idea. – Caleb H. May 06 '19 at 20:27
  • 2
    I would say HTML is OK as long as you escape and strip it correctly. – dfx413 May 06 '19 at 20:30