Hi, is it better to save the exact user input in the database or clean it for xss and store .. or is it good to store the direct user input , clean it and display it ?? please guide me .
Thanks
+4
A:
I would say it is better to store the exact data in the database and correctly escape it when you need to display it. This will make things much easier if you later want to display it in using a different medium where the dangerous characters and escaping might be different.
There are also a few other problems with relying on custom "cleaning" functions instead of using the escaping functions provided by the standard library for your language.
Unnecessary Restrictions - If, for example, you always remove <script> tags people won't be able to talk about <script> tags on your site, like I did just now. That might be fine for some sites, but not others.
Subtle bugs - If you writing your own "cleaning" function you might miss some dangerous input that you hadn't considered. An example is replacing <script> with an empty string, but forgetting that the user could enter <scri<script>pt> which after the replacement will become <script>. Using the built-in escaping functions generally will work correctly as they have (hopefully) been written by experienced programmers, tested well and used in thousands of other systems where security is important.
Special Cases - If you decide to clean all your input by for example removing '<' and '>' in all strings before storing them you will probably find out sooner or later that at least one specific field can't be cleaned because those characters are absolutely necessary in that one field, so you have to escape it instead. Now you have created a situation where you have to remember whether or not you should apply escaping to your data. This increases the chance of getting it wrong, and makes it difficult to see at a glance in your code whether you've forgotten to escape or whether its one of the fields where escaping is not necessary.
Mark Byers
2010-10-26 19:55:50