I have a question. I want to store custom css files created by users on my website. The question is - where i should store them for better performance ? inside DB rows (MySQL) or as a local file with dynamic name?
3
-
2as per opinion local filesɹɐqʞɐ zoɹǝɟ– ɹɐqʞɐ zoɹǝɟ2014-04-04 10:43:46 +00:00Commented Apr 4, 2014 at 10:43
-
2You should never use files, before you're completely ready to protect your local storage and you really know what you're doing. And by asking that question it seems like you should definitely forget about exposing your filesystem to the web user!blue– blue2014-04-04 10:48:12 +00:00Commented Apr 4, 2014 at 10:48
-
1You always can create manager by your own of this css files. Basically it better then store in db - no XSS will be, because you will store it as text and add link to your page. Of course for someone it's not good idea but if you know about file-permissions enough - store in files better case then store in db.user1954544– user19545442014-04-04 13:28:40 +00:00Commented Apr 4, 2014 at 13:28
Add a comment
|
1 Answer
DB is what I would prefer, but if you are letting users customize their css then keep in mind that before saving it into db, remove all special chars using htmlchar() and while using it back replace them with what they were earlier. This reduces chances of XSS attack.
Further details: https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet
3 Comments
user3140714
Yeah, i'm aware of that :>
logic-unit
"while using it back replace them with what they were earlier" - wouldn't that just recreate the payload?
user1954544
For storing any text - string escape will do its job, but on viewing it can be trouble. And yes, storing in db sometimes good idea but not for all cases.