我想使用markdown来安全地保存数据（对于xss）而不是json.stringify（）方法

Question

I want to use markdown to save the data securely instead of json.stringfy() method.Like this exapmle:usercomment is <script>alert('ss')</script>

 app.get('/comment',function(req.res){ var usercomment=req.body.comment;//from comment textarea(user's comment) const x=markdown.toHTML(usercomment); var comments=new comment({user:req.session.nick,comment:x}); comments.save(); console.log(x) } 

Or use json.stringify() like this I save the usercomment with json.stringify().Later i will send the comment(from database) to html with markdown.toHTML(comment) :

 app.get('/comment',function(req.res){ var usercomment=req.body.comment; const x=JSON.stringify(usercomment); var comments=new comment({user:req.session.nick,comment:x}); comments.save(); console.log(x) } 

Which one should I use?

Answer 1

JSON and Markdown do not give you security

Neither of the things you mention will magically give you security. To handle dangerous user input, you need to sanitize the input.

A quick search on NPM gives me sanitize-html , which seems like it would be good for this purpose.

const sanitizeHtml = require('sanitize-html');
app.post('/comment', function(req, res){
    let usercomment = req.body.comment;
    let safe_comment = sanitizeHtml(usercomment);
    let comments = new comment({
        user: req.session.nick,
        comment:safe_comment,
    });
    comments.save();
    res.send('saved');
}

If you don't want to allow your users to use any HTML, you can escape the user comment so that their input does not act like HTML. ( htmlencode seems good for this purpose)

const htmlencode = require('htmlencode');
app.post('/comment', function(req, res){
    let usercomment = req.body.comment;
    let safe_comment = htmlencode.htmlEncode(usercomment);
    let comments = new comment({
        user: req.session.nick,
        comment:safe_comment,
    });
    comments.save();
    res.send('saved');
}