[OWASP-Security101] Security Question - Cross Site Scripting [Stored]

Jim Manico jim.manico at owasp.org
Tue Mar 22 20:49:53 UTC 2016


 > How should the data be stored within a database - escaped or unescaped?

Well you need to escape in one of several contexts (javascript, html, 
css, etc) so I recommend you focus your efforts on escaping in the user 
interface.

The best way to stop injection (and XSS is just injection) is to provide 
your defense as close to the boundary between the parser that can hurt 
you and untrusted data. For XSS, that means escaping EVERYTHING in your UI.

Sure you can escape in the database, but you will have to un-escape and 
re-escape in the right content.

Aloha,
Jim


On 3/22/16 5:48 AM, Paul Cartmell wrote:
> Hi there
>
>
>
> I'm looking for some clarification on a particular issue relating to Stored Cross Site Scripting.
>
>
> To protect against this vulnerability I understand that untrusted content should be escaped to prevent execution within the client.
>
>
> How should the data be stored within a database - escaped or unescaped?
>
>
> It is my understanding that the data can be stored unescaped and as long as the content is escaped prior to client presentation, this is acceptable.
>
>
> Whilst the data is potentially unsafe if stored unescaped, if all possible routes to the client are correctly handled, is the vulnerability mitigated?
>
>
> Any input gratefully received...
>
>
>
> Thanks
>
>
> Paul.
>
> Paul Cartmell
> StarCode Software
> m: 07843 017397
> e: paul at starcode.co.uk<mailto:paul at starcode.co.uk>
> w: www.starcode.co.uk<http://www.starcode.co.uk/>
> _______________________________________________
> Security101 mailing list
> Security101 at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/security101
> List Run By OWASP
> List Admin: Michael.Coates at owasp.org



More information about the Security101 mailing list