Storing valid, sanitised HTML in database to mitigate malicious code injection
In a typical cross-site scripting (XSS) attack, the hacker submit a HTML form which include malicious code. When another user visit the page in which this data is rendered, the malicious code is executed. There are at least a couple of ways to mitigate this risk: When the hacker submit the HTML form, any malicious code is removed before storing the data in the database When retrieving data from the database, removing any malicious code before rendering it on the…