Do I need to filter values written to MongoDB?

L

likejavascript2014-05-12 20:06:49

JavaScript

likejavascript, 2014-05-12 20:06:49

Currently filtering everything that should get into MongoDB using validator.js

var value = sanitizer.sanitize('возможный xss');
db.collection.update({"_id": ObjectId(...)}, {"name": value});

But I began to wonder, is it necessary? Because on the client, before outputting data, everything goes through

var HTML_CHARS = {
   '&': '&amp;',
   '<': '&lt;',
   '>': '&gt;',
   '"': '&quot;',
   "'": '&#x27;',
   '/': '&#x2F;',
    '`': '&#x60;'
}

var escapeHTML = function (html) {
  return html.replace(/[&<>"'\/`]/g, function (match) {
      return HTML_CHARS[match];
  });
};

var cleaned = escapeHTML("возможный xss");

What do you think?

Reply

Answer the question

In order to leave comments, you need to log in

2 answer(s)

M

maxaon, 2014-05-13
@maxaon

Checking for xss should be done when generating html. Checking on save is just an added bonus. And about checking for xss https://github.com/chriso/validator.js#deprecations
For Mongo, as for any DBMS, injection checking is important. You can start with an article on Habré and an article on null byte

E

Eugene Obrezkov, 2014-05-12
@ghaiklor

You can use ORM Waterline, where validators already exist.
In general, it's better to do checks on both the client and the server - that's right :)