Geek Answers Handbook

Is there a risk of a non-standard display of user input in a text field?

I save two versions of user input in the following sequence:

  • Invalid user enters raw markdown.
  • The original markdown is stored in one table.
  • A copy of the original markdown is converted to HTML.
  • HTML is cleared and saved and displayed on request.
  • The raw version of markdowns is displayed only when users edit the record; it is loaded into the form text box.

Is there a risk of loading a raw markdown (which could potentially contain unsafe HTML) into the text box? It will never be displayed outside the text box.

I cannot sanitize markdowns because this will lead to inconsistencies between markdowns and the versions of HTML that I save.

FYI: I always sanitize SQL, no matter what I save to the database.

+4
source share
3 answers

It depends on how you load it into textarea . If you do this on the server side through simple string concatenation, for example. in php,

 $output = '<textarea>' + $markdown + '</textarea>';

... then there is absolutely a risk, because this markdown can very easily close textarea and insert whatever it wants. If you use any component structure (for example, ASP.NET), then you must be protected if you use a safe API method, for example, MyTextArea.Value = markdown; .

If you do this on the client side, it also depends on how you do it. You would be safe if you used something like jQuery .val() setter, but you could still expose yourself to XSS vulnerabilities using other approaches.

In short, the general answer is yes, depending on how you actually create and fill in the textarea .

+1
source

You don’t need to sanitize it there, just take care of evacuating special HTML characters such as <and>.

For example, Stackoverflow allows you to place HTML code in your messages, it does not delete anything. This is achieved by coding, not disinfection.

+3
source

Are you at least performing SQL sanitation? When you insert or update data, are you using some type of DAO that eludes SQL or, if you use Java, with a prepared statement in which you specify the arguments?

You should always misinform things before entering the database. Otherwise, people could add stray

 '); --Malicious procedure here.

.. per request.

There are a number of security risks that leave unanimated input in the text box; basically, if the user is infected by injecting Javascript, it will be displayed for him every time.

Why even save it? Then, do you provide your user with an absolutely inconsistent idea that they are part of the displayed? They will not match. It is best to clear the input, so when the user views it again, he or she can clearly see that the offensive HTML has been removed for security.

0
source

More articles:


All Articles