is storing HTML dangerous ?

[BenoitDesrosiers]

I know I can extract either the html or the json from the editor.
But if I transfert the HTML to my database, is there a risk that somebody could insert malicious code ?

[philippkuehn]

ProseMirror strips any tags and attributes that are not defined in your schema.

[singhaditya28]

Yes, It is very likely to. I advise to store your files (not only HTML) in binary format to make it difficult to be read or modified. You can decompile the binary to text file at destination. 👍

[khawarizmus]

you would store the JSON or HTML in binary format? and how do you store it in binary format? also if using mongoDB for example how would you store it?

[hanspagel]

Don’t store it in binary. It’s not secure just because there is an extra step needed to modify the content. It’s more the opposite: It would make looking for modified content harder.

[khawarizmus]

thank you for the clarification @hanspagel

I have actually started a discussion at #964 and would love to hear from you

[neongreen]

There is absolutely a risk. Even if ProseMirror strips HTML tags, anyone can call your backend directly and just ask it to store a piece of whatever HTML they want. You can't trust anything that happens on the client side — the attacker doesn't have to use ProseMirror (or your webpage at all) to send requests to your backend.

If you are storing HTML in the database, you should either sanitize it when writing (remove all unsafe tags on the server side), or when rendering web pages containing that HTML. I would recommend the former. There are a few libraries for doing HTML sanitizing.

[iamursky]

Just use a sanitizer before saving to the database.