views:

87

answers:

4

I want to enable comment posting on my page, so i need to execute some html encoding before post is sent and inserted into a database.

What is the ideal side for this?
Sever side(I work with asp.net) or client side (javascript)?

+4  A: 

If you mean sanitizing the user input, the only place you can do that safely is server-side. You can't be sure that anything has been done client-side, it's too easy to bypass client-side code.

It's like data validation: It's nice to do data validation (making sure key fields of a form are filled in with valid values, for instance) on the client because the immediate feedback makes for a good user experience, but doing so is not a substitute for doing it on the server, because it's trivially easy to bypass the client-side validation.

But with sanitizing input, you don't even want to try to do that client-side; assume it's un-sanitized and sanitize it on the server.

In ASP.Net, if the input you're sanitizing is a string you're later going to display in an HTML page and you want to ensure that it doesn't contain HTML tags of its own, you can use HttpServerUtility.HtmlEncode to encode the string (basically, turning < into &lt; and such).

T.J. Crowder
So, if I use TinyMCE editor on my page that does it's own encoding, it's not enough ans i must do my own encoding on server side?
shivesh
@shivesh: Right, it's not enough. You cannot trust that *any* client-side processing has been done at all. It's trivially easy to send a request to your server with unencoded data, bypassing all of your client-side stuff, in an attempt to hack your site. You have to treat all inbound data as suspect. If the data is supposed to be encoded already, you might use the fact that it isn't to flag up inappropriate activity on the account in question, although I'm a bit surprised (not having used it) that TinyMCE encodes things before sending them to you. Normal input controls don't.
T.J. Crowder
Can you recommend some library for server side checking? The content of tinymce has rich html so it will be complex to create something that is perfect from scratch.
shivesh
@shivesh: I've updated the answer to point you to `HttpServerUtility.HtmlEncode`, but if you want to allow *some* HTML and not *other* HTML (which I'm guessing you probably do, if you're using TinyMCE), then I don't have a recommendation for you I'm afraid.
T.J. Crowder
I know about HttpServerUtility.HtmlEncode I used it for simple input text box, but it's not good for this case.
shivesh
+1  A: 

Without a doubt, definitely server side. However, I would encode the input before output to the browser instead of before input to the database.

If you are using ASP .NET MVC you can use the helper method.

<%= Html.Encode("user comment with html in it <script>alert('bad')</script>") %>

If you are using ASP .NET (webforms or MVC) in the NET 4 framework, you can use the new syntax.

<%: "user comment with html in it <script>alert('bad')</script>" %>
Nate Pinchot
You suggest I should store data in database as is?
shivesh
Yes, the reason being, if you sanitize the input before storing it in the database, if it is sanitized wrong then the original user input is lost and you can't go back and fix it. In addition, say you, for example, want to output the comment to a reporting component which allows and understands HTML - here you would need the unsanitized input, but if you encode before inserting to the database, you won't have it.
Nate Pinchot
+1  A: 

Surely you should go with server side.

If you do it with client side, Users can easily get the encryption what you are using.

If it is a server side.It should be more secure.

anishmarokey
A: 

A way to do it is to keep your page in UTF-8 for whatever users may be entering with

<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />

in the header of output and keep the database in unicode as well. You can never be sure what users are going to input.

Every database stack also delivers the means to escape possibly malicious content, e.g. mysql_real_escape_string MySQL function in PHP.

Ain