When a user fills out a form how do I go about escaping the user input in express.js?
Does express.js do this by default? I can't find a source.
Do I have to use a third-party module like express-validator.js?
UPDATE
I figured out the difference between escaping and validating.
What I wanted to do was escape user input but what I should be doing is validating it, making sure it's in a valid format and then escape the output to the form if it is not valid providing the user exactly what they inputted.
<%= some_html %> will automatically escape it. <%- some_html %> will output html intact.
Exactly what kind of escaping do you need to do? Express will automatically decode (not unescape) the query string for you and make it available as req.query. URL params will also be unencoded for you automatically.
If you need to escape HTML that includes user input when rendering, you should do that via your template engine. Most template engines such as jade (= value) or handlebars or mustache ({{value}}) will escape HTML by default, and require an explicit syntax to pass data through unescaped ( != value in jade or {{{value}}} in handlebars/mustache).
Related
In order to use if statements in Freemarker templates, the following syntax is used;
[#if ${numberCoupons} <= 1]
[#assign couponsText = 'coupon']
[/#if]
Is there a way to replace the '#' character with something else, because I am trying to integrate it with drools (a java based rule engine) and the '#' character is used to mark start of comments so the formatting breaks?
There isn't anything for that out of the box (it uses a JavaCC generated parser, which is static). But you can write a TemplateLoader that just delegates to another TemplateLoader, but replaces the Reader with a FilterReader that replaces [% and [/% and [%-- and --%] with [#, etc. Then then you can use % instead of # in the FreeMarker tags. (It's somewhat confusing though, as error messages will still use #, etc.)
As #ddekany wrote, you can write code that tranform the template without the pound sign, But notice it can clash with HTML or XML (and similar) tags, at least from an editor prespective.
I have the following properties string
GET 50% OFF ANY M'EDIUM OR L"AR"GE PIZZA!
I am using it in an HTML onclick markup like so
onclick="trackPromoCta(encodeURI(${properties.ctaTwoTextRight # context='text'}));"
However this outputs invalid html. I tried #context of scriptString and that escapes but only for inside JavaScript not for inside HTML markup. I tried all of the other options as well and none of them actually escape special characters for rendering HTML.
I saw someone once use a #format to search the string for these characters and escape them for HTML but I can't find out how to use #format to do this.
The expected output should be
onclick="trackPromoCta(encodeURI('GET 50% OFF ANY M'EDIUM OR L"AR"GE PIZZA!'));"
Take a look at the HTL spec for display context: https://github.com/Adobe-Marketing-Cloud/htl-spec/blob/master/SPECIFICATION.md#121-display-context
What you need is scriptString since your string property will eventually be used as a javascript string literal.
${properties.jcr:title # context='scriptString'} <!--/* Applies JavaScript string escaping */-->
Also, you need to enclose your HTL expression with single quotes, for example:
var str = '${'this is a js string literla' # context='scriptString'}'
The HTL code for you specific example would be:
onclick="trackPromoCta(encodeURI('${properties.ctaTwoTextRight # context='scriptString'}'));"
The #context value "text", "html" or "attribute" will return encoded values in your resulting html. As per documentation too, text encodes all HTML special characters.
If you go through your html's code using "View Page Source" and not via "Inspect element of developer tools". You will see the expected outcome.
onclick="trackPromoCta(encodeURI('GET 50% OFF ANY M'EDIUM OR L"AR"GE PIZZA!'));"
Reference:
https://helpx.adobe.com/experience-manager/htl/using/expression-language.html
When I have doble marks encoded in my HTML attributes, tinymce breaks that attributes.
For example:
data-value="ab"e;----"e;"> will be seen in source code: <div data-type="more-posts" data-value="ab">Hello</div>
http://codepen.io/anon/pen/MKYrbJ
How can I fix this?
If you would have real double quotes here your HTML would not be valid anymore because attributes use them.
It will be best do handle those when you save that content to your database.
You could replace them with single quotes - those wouldn't break the markup.
I want to sanitize a simple text field with a person's name, to protect from XSS and such. Stackoverflow pretty much says I must whitelist. I don't understand this. If I simply remove all < and > from the input value, or replace them with > and &ls;, does not that rule out code injection? Or am I missing something? Perhaps you only need to whitelist in more complex scenarios where you have to put up with angular brackets?
Sorry if it's a silly question, it's important to get this right.
Whether to whitelist or encode depends on how you want to use the text.
If you intend to treat the input as plain text, then encoding special characters is enough, and any HTML code entered will display as text only as long as you are careful not to allow unencoded text to end up anywhere in your HTML output. (This includes making sure any other systems you interface with don’t inappropriately use the unencoded text.)
If you want to allow some markup in the input, such as text styling or links, then you must whitelist the tags that you allow and get rid of all others.
No, it's not sufficient because if you were to include the person's name in an html attribute, you would also need to escape any double-quotes contained therein.
I am using php, mysql with smarty and I places where users can put comments and etc. I've already escaped characters before inserting into database for SQL Injection. What else do I need to do?
XSS is mostly about the HTML-escaping(*). Any time you take a string of plain text and put it into an HTML page, whether that text is from the database, directly from user input, from a file, or from somewhere else entirely, you need to escape it.
The minimal HTML escape is to convert all the & symbols to & and all the < symbols to <. When you're putting something into an attribute value you would also need to escape the quote character being used to delimit the attribute, usually " to ". It does no harm to always escape both quotes (" and the single quote apostrophe '), and some people also escape > to >, though this is only necessary for one corner case in XHTML.
Any good web-oriented language should provide a function to do this for you. For example in PHP it's htmlspecialchars():
<p> Hello, <?php htmlspecialchars($name); ?>! </p>
and in Smarty templates it's the escape modifier:
<p> Hello, {$name|escape:'html'}! </p>
really since HTML-escaping is what you want 95% of the time (it's relatively rare to want to allow raw HTML markup to be included), this should have been the default. Newer templating languages have learned that making HTML-escaping opt-in is a huge mistake that causes endless XSS holes, so HTML-escape by default.
You can make Smarty behave like this by changing the default modifiers to html. (Don't use htmlall as they suggest there unless you really know what you're doing, or it'll likely screw up all your non-ASCII characters.)
Whatever you do, don't fall into the common PHP mistake of HTML-escaping or “sanitising” for HTML on the input, before it gets processed or put in the database. This is the wrong place to be performing an output-stage encoding and will give you all sort of problems. If you want to validate your input to make sure it's what the particular application expects, then fine, but weeding out or escaping “special” characters at this stage is inappropriate.
*: Other aspects of XSS are present when (a) you actually want to allow users to post HTML, in which case you have to whittle it down to acceptable elements and attributes, which is a complicated process usually done by a library like HTML Purifier, and even then there have been holes. Alternative, simpler markup schemes may help. And (b) when you allow users to upload files, which is something very difficult to make secure.
In regards to SQL Injection, escaping is not enough - you should use data access libraries where possible and parameterized queries.
For XSS (cross site scripting), start with html encoding outputted data. Again, anti XSS libraries are your friend.
One current approach is to only allow a very limited number of tags in and sanitize those in the process (whitelist + cleanup).
You'll want to make sure people can't post JavaScript code or scary HTML in their comments. I suggest you disallow anything but very basic markup.
If comments are not supposed to contain any markup, doing a
echo htmlspecialchars($commentText);
should suffice, but it's very crude. Better would be to sanitize all input before even putting it in your database. The PHP strip_tags() function could get you started.
If you want to allow HTML comments, but be safe, you could give HTML Purifier a go.
You should not modify data that is entered by the user before putting it into the database. The modification should take place as you're outputting it to the website. You don't want to lose the original data.
As you're spitting it out to the website, you want to escape the special characters into HTML codes using something like htmlspecialchars("my output & stuff", ENT_QUOTES, 'UTF-8') -- make sure to specify the charset you are using. This string will be translated into my output & stuff for the browser to read.
The best way to prevent SQL injection is simply not to use dynamic SQL that accepts user input. Instead, pass the input in as parameters; that way it will be strongly typed and can't inject code.