May I ask you to code when XSS, is stored in the database or when writing Html?

for example, data submitted by the user

a < b

method 1, encode when it is stored in the database, that is, it is

a < b

method 2, code when writing Html, that is, storing it in the database as is

a < b

but before writing to the page, it is encoded as

a < b

I personally prefer method 1, because XSS is caused by a misunderstanding in the browser, and the data returned in the background is not necessarily given to the browser. Other clients (such as mobile phone APP) do not have to worry about it. This is one of them.

second, if this column is to be compared in SELECT, method 2 requires that the compared values must also be encoded first, otherwise they cannot be equal, for example:

WHERE c ="a < b"

it certainly won"t work to write this way, because the database stores"a < b".

so, from a purely programming point of view, method 2 always assumes that the client is a browser, which is not good. But the problem with method 1 is that if you "remember" the code every time you write to html, it"s too easy to forget! Once forgotten, there is a security risk, right?

so what do you suggest?

Nov.01,2021

I wrote a function to save rich text at that time. Using method 2 (you must save the html tag, no way), the rich text content is method 1.

speaking of anti-xss, I was using the jsoup (java Filter xss attack script when submitting rich text on the page. Because what needs to be saved is rich text. So when it comes to page rendering, there is no escape (all the content uploaded after editing rich text is escaped, except for some tag pairs generated by rich text).

method 1 is really convenient if you don't use rich text. But in the case of rich text, when you need to find a html entity, it must be escaped.

MySQL Query : SELECT * FROM `codeshelper`.`v9_news` WHERE status=99 AND catid='6' ORDER BY rand() LIMIT 5
MySQL Error : Disk full (/tmp/#sql-temptable-64f5-1b30bad-2bd30.MAI); waiting for someone to free some space... (errno: 28 "No space left on device")
MySQL Errno : 1021
Message : Disk full (/tmp/#sql-temptable-64f5-1b30bad-2bd30.MAI); waiting for someone to free some space... (errno: 28 "No space left on device")
Need Help?