couchdb-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jan Lehnardt <...@apache.org>
Subject Re: Sanitize before saving to couch document?
Date Wed, 13 May 2015 08:57:14 GMT

> On 13 May 2015, at 05:33, jumbo jim <jumbojim22@gmail.com> wrote:
> 
> I am thinking about user-submitted data that I want to save. I currently
> validate and submit data directly to couch, and when I want to display the
> data back to users.. I escape it first to avoid xss. Validate on input,
> escape on output.
> 
> My question relates specifically to the step when I save the user-submitted
> data to couch. Ie - they submit a string.. and I want to save that to a
> field within a document. Can couchdb accept any arbitrary string for a
> field within a document? I validate against string length. I have observed
> that that special characters (quotes, newlines etc) are automatically
> escaped etc (ie \\n). Couchdb also accepts unicode. Are there any
> situations where I need to be wary about what type of data I save to a
> document that may have been submitted by an evil user?

Ah, you want a validate_doc_update function: http://docs.couchdb.org/en/1.6.1/couchapp/ddocs.html?highlight=validate_doc_update#validate-document-update-functions

Best
Jan
-- 
Professional Support for Apache CouchDB:
http://www.neighbourhood.ie/couchdb-support/


Mime
View raw message