Is it a bad idea to escape HTML before inserting into a database instead of upon output?

Question

I've been working on a forum-like system, which does not allow for HTML formatting. The method I currently use is to escape HTML entities before they get inserted into the database. I've been told (in relation to XSS vulnerabilities) that I should insert the raw comment into the database, and escape HTML entities upon output.

Other questions here I've seen on the matter seem to imply that the HTML would/could still be used for formatting, thus I'm asking for a case where the HTML would not be used at all.

Answer 1

Yes, because at some stage you'll want access to the original input entered. This is because...

• You never know how you want to display it - in JSON, in HTML, as an SMS?
• You may need to show it back to the user as is.

I do see your point about never wanting HTML entered. What are you using to strip HTML tags? If it a regex, then look out for confused users who might type something like this...

3 < 4 yes, :->

They'll only get the 3 and space if it is a regex.

Answer 2

you will also restrict yourself when performing the escaping before inserting into your db. let's say you decide to not use HTML as output, but JSON, plaintext, etc.

if you have stored escaped html in your db, you would first have to 'unescape' the value stored in the db, just to re-escape it again into a different format.

also see this perfect owasp article on xss prevention

Answer 3

I usually store both versions of the text. The escaped/formatted text is used when a normal page request is made to avoid the overhead of escaping/formatting every time. The original/raw text is used when a user needs to edit an existing entry, and the escaping/formatting only occurs when the text is created or changed. This strategy works great unless you have tight storage space constraints, since you will be duplicating data.