Here's how on the site in question I can write a comment and sample code, for example:

This is a comment

//это код <script>alert('1');</script>

This is another comment.

How correctly this is implemented, so that the comment would be protected from XSS, and the code in the comment is displayed as code! How is such a comment stored in the database, the sample code is extracted and stored separately? or is the comment preserved as a whole? How to display (process when displaying) such a comment?

Can someone write an example, or give a link to some example or a link to the script where this is implemented, I can not find!

Closed due to the fact that the issue is too general a participant Nick Volynkin 3 Jul '16 at 12:43 .

Please correct the question so that it describes the specific problem with sufficient detail to determine the appropriate answer. Do not ask a few questions at once. See “How to ask a good question?” For clarification. If the question can be reformulated according to the rules set out in the certificate , edit it .

  • emmm, as minumum XSS recognizability is related to js, ​​not php - darkwoolf
  • @darkwoolf where is it? I wrote php because I want to find out how it is done in php ... comments from God! Is the question unclear =) - bsbak
  • Yeah, and if you save to the database, you can still run into another type of vulnerability - SQL Injection. - AK
  • @AK yes? seriously? I didn't seem to ask what you could run into - bsbak
  • @ user3737786 You do not be offended, but the question is really quite large, with many nuances. In general, it is important for you to write your own code yourself (there are a lot of questions - working with mysql in php and so on), or in general you want a beautiful syntax highlighting of different languages ​​(there are a lot of ready-made solutions, no need to do bicycles). - AK

1 answer 1

There are many different questions in your question.

  1. Comments in the database are saved in a typical way. There are, say, a mysql-base, in it, let's say a table of posts (is, author, date, comment, id_parent). You need to save the data that came from the html form into the database; there are two typical ways to protect against sql injection. There are already a lot of questions, I just marked the group. It is unlikely that you are thinking, for example, about the versioning of the table structure (phinx) and much more.

  2. When displaying a message, you need to read the desired post (s) from the database, and if you want to organize the code lighting, then in the minimal case you should look for the code in the body of the post and frame it into stylized <pre> and </pre> tags there is a border, a background ... The simplest thing is that you agree that the beginning of the code will be executed with [CODE] , and the end with [/CODE] . Why square brackets, but not triangular ones - so you avoid problems with html (do not confuse while parsing - once, protection against xss - two). More advanced parsers can use markdown markup (like so), but you’re better off not kolkhoz bicycles on your own - collect all the rakes and vulnerabilities.

Is that enough? Mini-lecture is obtained, purely introductory course.

PS Concretize your questions!

  • 2 times wrote, syntax highlighting is not needed, but it came to that, it still writes about syntax highlighting. Then he writes "more advanced parsers" - give you at least 1 link to such a parser - bsbak
  • @ user3737786, TUC , and there are links to github - Mr. Black
  • The tags that I gave you as an example are called BBCODE, this is a very widespread thing on the net. Google any ready-made BBCODE parser - here, for example , there is a bicycle and a powerful ready-made solution .. But this is only a small part of what you need - you still have questions about a car and a small truck, learn and study programming. - AK
  • 2
    Nonconstructive and inadequate. Goodbye, look for someone else who will enlighten you ... if he wants to communicate. - AK
  • @Doofy, finally, I understood, everything is done at the JS level, and then just inserted into the database ... gut, thanks. - bsbak