The Wolf The Wolf - 1 year ago 99
SQL Question

can you get hacked by saving the HTML codes generated by texteditors like tinyMCE, QuillJS, etc.?

i hope somebody can provide advice or tips before this gets closed because I was warned that this is a subjective question.

I have my own PHP+SQL framework made out of Slim and Eloquent and planning to integrate a forum in it, and to make it more user-friendly, I am planning to add free text editors on forum posting.

Apparently, these texteditors send the HTML codes via POST, and with these I plan to save them on a MySQL database. And since its eloquent, I quite understand it already handles the prepared statement to avoid injection. But I am not sure enough if that is safe enough, I was browsing phpBB and they don't have any pretty text editor until today (or is yet to be develop for 3.2) and I browsed that they are concerned about security, and I got nervous more since they are veteran there.

Can you get injected via these simple HTML codes? What other attacks can be use against my system?


Answer Source

As long as you escape everything before inserting into SQL queries, the database will be safe... from the simplest form of SQL injection.

To protect against JavaScript injection you'll have to cleanup the markup on server side before inserting into the database by removing <script> tags. You might also want to remove iframe, link and form tags.

You'll also have to configure content filtering on client side. For example, TinyMCE has invalid_elements option, where you can list the tags to remove.

The more features a system supports, the more the risk, obviously. For example, the hacker may upload a file with a name containing a shell expression such as $(rm -rf /www/).png. So the server will be hacked, if somebody on the server accidentally runs an eval on such kind of filename. Another example is uploading a script looking like and image.

I guess, there is no point in listing more possible ways to hack the system. The answer to your question is: yes, the system can be hacked by using the popular Web editors. So I'd recommend to minimize the number of features exposed to the user, and to thoroughly sanitize the user input, especially on server side.