javascripthtmlencodingfiddlerhtml-encode

Should I save in db - user input as html encode?


We're having conflict with coworkers on whether we should htmlencode user input and then save it to db ( vs saving it straight forward as it is)

I also found various answers which says that DB should save the plain(!) input.

Why ? because DB should know that the user length is 1 in < and not 4 in &lt;

The html encoding should only be made when outputting.

but:

Having said that , I see that Stackoverflow is not following this rule.

When I save a question here at SO , which contains plain < it does show (obviously) the &lt; in the preview pane. BUT when I submit the question : it submit the content as json with html encode !

Json.stringify is not doing html encode

So If I type in the input :

enter image description here

And submits :

I see (via fiddler) that it sends actually the html encode value :

enter image description here

Question :

As you see - i'm a bit confused. the common logic says that db should save whatever the user type 1:1.

The sanitization should be made at the output


Solution

  • You must encode input sent to the server, because otherwise the anti Cross Site Scripting protection on the server will block the entire request. However, you decode this input before saving to the DB.

    In other, what you see in the POST isn't necessarily what is saved to the database.