Hello !

I have a problem !

I'm starting a comment system for my website.
The problem is:
I want to use an HTML editor, but is not fully necesary.
My problem is with the security.
How to secure the user input that i save in database? Because i show that input on my website and i want to prevent xss, sqli and other things like that. But i still want my user to write any char. For example, daniweb uses and HTML EDITOR ( wysiwyg ).

couple of options

  1. Limit number of tags and strip off the rest (then encode string in case some entities made its way)
  2. Use HTML Purifier (google it)
  3. Use Markup language

Always validate your inputs

I don't get 1,3, can you explain ?

Member Avatar

If you strip tags, then you can't store html, script etc - although you can whitelist some specific ones, e.g. <b>, <i>, well whatever you want.

Have you considered using something like DISQUS? This takes the heat out of storing / processing comments on your own server. It's free, it's got a huge user base and it's a system therefore that many would be familiar with and could use without a lengthy login/sign-up process.

However, you may want to moderate comments, so you'd have to get into the guts of it, but definitely receommended (by me!).

BTW - html editor not necessary - well don't use it. The more complicated you make things with all these add-ons the more of an issue it is to keep things secure. A html editor (even proven ones like TinyMCE and CKEditor) may suffer from security holes. Unless you keep abreast of developments, you may not be aware that you may need to apply a security patch etc. As these editor inputs are stored on your server, you are more open to problems, compared to a DISQUS type implementation. I am not really pitting one against the other, as both approaches have slightly different uses and both have their pros and cons.