5

I am using http://ckeditor.com/ in a small PHP/MySQL forum I built. My questions:

  1. Is it safe to save user-created HTML like this in the database and then re-display it in my application? What precautions should I take to keep the users of my forum safe from script injection and the like?

    <p>test</p>
<span style="font-size: 14px;">test</span>

  2. Would it be safer to use BBCode instead of HTML? I tried the ckeditor bbcode plugin but it lacks some basic formatting like text alignment ... Does anyone know how to extend the plugin to add text alignment to it?

genesis
  • 50,477
  • 20
  • 96
  • 125
jpc
  • 53
  • 1
  • 5
  • What server-side technology are you using? – Peter Aug 29 '11 at 01:25
  • Assuming the ckeditor is script-safe, your question is already adequately covered by the ckeditor documentation. Next time, please put more effort into writing your question. – Robert Harvey Aug 29 '11 at 14:45
  • am not saying ckeditor isn't safe am saying is't good or bad to save plain html in the database? – jpc Aug 29 '11 at 14:48
  • thanks for the answer and i don't have problem with my shift key and am not posting from a cell phone but why you are asking that? – jpc Aug 29 '11 at 15:42
  • Even if CKEditor was safe, it will not be an option to save plain HTMLin the database : you can never trust data from client. The server must always validate it. It is so easy to bypass client validation. – gentiane Apr 09 '19 at 19:26

1 Answers1

4

For your first question, there are two main things you need to do:

  1. Safely save the user content to your database so that you are not vulnerable to a SQL injection attack. See this SO question for how best to handle that => Best way to stop SQL Injection in PHP.

  2. Prevent someone from submitting unsafe HTML to your database that would then be re-displayed to your users and make them vulnerable to an XSS attack. There are plenty of questions that deal with that here on SO. Here's one => XSS Prevention in PHP.

Community
  • 1
  • 1
Peter
  • 12,541
  • 3
  • 34
  • 39
  • but do you think that saving html not bbcode in the database good or bad? – jpc Aug 29 '11 at 14:35
  • I think HTML is okay if you have a good way for sanitizing it. BBCode is probably a little safer ... but I don't how to make the CKEditor BBCode plugin align the text as you want. – Peter Aug 29 '11 at 14:51
  • thanks man finally someone who understand what am asking. but isn't bad when i want to send search querys to the table that i save plain html in it. – jpc Aug 29 '11 at 14:55