2

I am creating a CMS with codeigniter and need to store some text that is wrapped in html. I will then get the data from the database and echo it onto my page. What is the best way to do this being security conscious?

Example of data:

<h2>A fresh approach</h2>
    <p>Whether you have queries regarding your</p>
<a href="#">cgoto page</a>
Improve this question

2 Answers 2

Reset to default
3

Apply a XSS filter before saving (better, because you'll save once and echo several times) or on output and assign the content to a variable passed to the view. You may use $this->security->xss_clean($data_retrieved).

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

1

Sanitization is always necessary.

I'm a particular fan of using white lists for HTML tags so you analyze the data you're about to store and simply wipe out the HTML tags that are not in that white list. This way, if you desire, you can prevent users from inserting certain tags like <script> or <object> with unpredictable or obscure behavior.

Suppose one of your CMS users uses a very dumb password and someone else gains access over the application. Filtering HTML content would prevent the impostor from inserting malicious cross domain javascript to collect keyboard events (that might reveal possible passwords in login forms) and etc.

Also it's always good to validate the HTML you're going to store since any invalid HTML would end up hurting your website markup and even breaking your rendering in some browsers.

Doing that checks before storing things in database might not be enough since data can be corrupted by direct database access, so before echoing the content do what @RodrigoFerreira said.

Improve this answer

2 Comments

True. But if the attacker already has direct access to the database, filtering content on output will be the smallest problem to solve... ;) I usually apply htmlentities filter on output (so I can except raw HTML data under certain conditions, as he should in this case) and xss filter before saving to the database (the best approach for performance, instead of filtering the same data again and again each request).
The filter before and after approach is still the most secure, he just needs to find a performance balance that suits his needs :] I was not talking about direct database hacking, was referring to database inconsistencies caused by any direct database manipulation (including crazy DBAs running crazy maintenance scripts, yes it happens lol).

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.