html - Storing malicious code in a database - is escape-on-output always the correct approach? -


just want understand thinking here , arrive @ correct , accepted approach issue. context in web environment , talking escaping on input database.

i understand many of reasons behind not escaping on input when taking user input , storing database. might want use input in variety of different ways (as json, sms etc) , might want show input user in original form.

before putting database make sure there no sql injection attacks protect database.

however following principals set out here , here, suggest approach of saving user input is. user input might not sql injection attack, other malicious code. in these cases ok store javascript based xss attacks database?

i want know if assumptions here correct, fine storing malicious code in database long malicious code doesn't directly affect database? case of not being database's problem, can hold malicious code , output device avoid pitfalls of malicious code?

or should doing more escaping on input suggested these principals - security concerns come before idea of escaping on output? should take approach no malicious code enters database? why want store malicious code anyway?

what correct approach saving malicious code database in context of web client/server environment?

[for purposes of ignoring sites allow code shared on them, thinking of "normal" inputs such name, comment , description fields.]

definition: use term "sanitize" instead of filter or escape, because there's third option: rejecting invalid input. example, returning error user saying "character ‽ may not used in title" prevents ever having store @ all.

saving user input is

the security principle of "defense in depth" suggests should sanitize potential malicious input , possible. whitelist values , strings useful application. if do, you'll have encode/escape these values too.

why want store malicious code anyway?

there times accuracy more important paranoia. example: user feedback may need include potentially disruptive code. imagine writing user feedback says, "every time use type %00 part of wiki title application crashes." if wiki titles don't need %00 characters, comment should still transmit them accurately. failing allow in comments prevents operators learning serious issue. see: null byte injection

up output device avoid pitfalls of malicious code

if need store arbitrary data, correct approach escape switch other encoding type. note must decode (unescape) , encode (escape); there no such thing non-encoded data - binary @ least big-endian or small-endian. folks use language's built in strings 'most decoded' format, can wonky when considering unicode vs ascii. user input in web applications urlencoded, http encoded, or encoded according "content-type" header. see: http://www.ietf.org/rfc/rfc2616.txt

most systems part of templating or parameterized queries. example, parameterized query function query("insert table values (?)", name) prevent need escape single quotes or else in name. if don't have convenience this, helps create objects track data per encoding type, such htmlstring constructor newhtmlstring(string) , decode() function.

should take approach no malicious code enters database?

because database cannot determine future possible encodings, impossible sanitize against potential injections. example, sql , html may not care backticks, javascript , bash do.


Comments

Post a Comment

Popular posts from this blog

Is there a better way to structure post methods in Class Based Views -

i'm using class based views in django , never specify url in ajax calls , omit action parameter in form because know these requests go through post method of class based view. notice view - profile page make many requests depending on user updating on page - post method become convoluted , if/else mess example: def post(self, request, *args, **kwargs): # handle user changing available date if request.post.get('availabledate') != none: self.updateavailabledate(request) return jsonresponse({'result':'success'}) if request.post.get('newprojectname') != none: creative_user = creativeuserprofile.objects.get(id = request.user.id) project = project.create_project(creative_user, request.post['newprojectname']) project.save() return jsonresponse({'projectid': project.id }) if request.post.get('projectimage') != none , request.files['file']: proj
Read more

performance - Why is XCHG reg, reg a 3 micro-op instruction on modern Intel architectures? -

i'm doing micro-optimization on performance critical part of code , came across sequence of instructions (in at&t syntax): add %rax, %rbx mov %rdx, %rax mov %rbx, %rdx i thought had use case xchg allow me shave instruction , write: add %rbx, %rax xchg %rax, %rdx however, dimay found agner fog's instruction tables , xchg 3 micro-op instruction 2 cycle latency on sandy bridge, ivy bridge, broadwell, haswell , skylake. 3 whole micro-ops , 2 cycles of latency! 3 micro-ops throws off 4-1-1-1 cadence , 2 cycle latency makes worse original in best case since last 2 instructions in original might execute in parallel. now... cpu might breaking instruction micro-ops equivalent to: mov %rax, %tmp mov %rdx, %rax mov %tmp, %rdx where tmp anonymous internal register , suppose last 2 micro-ops run in parallel latency 2 cycles. given register renaming occurs on these micro-architectures, though, doesn't make sense me done way. why wouldn't register renamer
Read more

jquery - Responsive Navbar with Sub Navbar -

good day, forgive me nav vocabulary not best. if question confusing apologize. i'm working on navigation bar needs centered on page @ 768px , above. items in nav open (or perhaps toggle) subnav lives directly below. these nav should appear centered on page. i have been able work through responsive portion of nav bar, having main items align vertically , sub nav menu of each item roll out below, , gave them indent separation. working well. however, issue not responsive side, behavior @ width greater 768px. happens toggling menu's sub navigation pushes other main items down page below sub nav. here's code: $(document).ready(function () { //stick in fixed 100% height behind navbar don't wrap $('#slide-nav.navbar-inverse').after($('<div class="inverse" id="navbar-height-col"></div>')); $('#slide-nav.navbar-default').after($('<div id="navbar-height-col"></d
Read more