How to secure custom user input code for web page?

Question

I have a feature on my site that allows my users to create a custom "web page". They can add HTML elements in there, CSS, and custom javascript code as they please.

I plan to store the entire web page (HTML, css, javascript, jquery) code in MySQL data with TEXT or MEDIUMTEXT (unless you have a better solution maybe?). Im also using PHP.

Here is a part of my insert code:

$stmt = prepare("INSERT INTO webpages (content) VALUES (:content));
...

How can i secure the content/web page code that is being inserted into the database, and/or secure the text when its displayed?

here is a part of the retrieval code:

$stmt = prepare("SELECT * FROM webpages WHERE id = :id");
...

thank you

@tim you're right, i'm not sure how to prevent that. do you have any solutions? — Timmy Balk, Jul 22 '19 at 03:33
Possible duplicate of [How can I prevent SQL injection in PHP?](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) — Ritesh Khandekar, Jul 22 '19 at 03:58

score 0 · Answer 1 · answered Jul 22 '19 at 03:59

Well you can store encoded / encrypted form of HTML. But that is not a correct way. And when you try to store whole web pages in database, It will increase the database size and decrease the performance. And also you will need to allow the safe html tags only.

And if you allow javascript and load the stored webpage content under your same domain like, https://yoursite.com/storedsite-id-or-name There is a possibility, User can steel all the cookies of the domain, By using javascript.

If user insert PHP codes, There are no issues because php won't execute until you run the code. If you get the html from database and show as Plain Text, It won't execute.

But In my opinion.

You can store these lengthy html content in a file as encoded or encrypted form. And use a unique hash as the filename. You can use your custom extension too.

7815696ecbf1c96e6894b779456d330e.sitedata

And prevent direct access. And store the site information in database.

Like,

------------------------------------------------------------------
row_id | user_id | site_name   | site_source
------------------------------------------------------------------
1      | 34      | sample-site | 7815696ecbf1c96e6894b779456d330e

Then you can view the site,

https://yoursite.com/sample-site When user request this URL, You need to get the site-name from URL. And get the site source file from database. Then read the file content and decode / decrypt to the actual content. Then you can render the page with the content.

score 0 · Answer 2 · answered Jul 22 '19 at 04:00

Generally, if you are storing and displaying HTML from users, you should run it through something like htmlpurifier to ensure that there's no malicious content in the HTML.

This will strip out any javascript however, as you can't trust anything submitted.

The other way would be to display the User's HTML inside an iframe by setting it's content to the saved HTML, with the sandboxing options enabled.

How to secure custom user input code for web page?

2 Answers2