Security concern. Decoding the html input on product description before saving it in the database.

[orion_1988]

I developed a module which grabs information about the product from another cross domain site (CROX job) and save it in the description field for the specific product as HTML. 

 

When I use:

....

$product -> description = htmlentities($input);

$product -> save();

 

the  $input HTML get property escaped and stored in the database.

 

 

 

When  I open the specific product in prestashop back office, load the description field, change something and then hit "Save", the value get stored as clean HTML with all the tags etc. I know that in Product.php the variable description is set  as TYPE_HTML and Validate::isCleanHTML is enabled, but I dont think that this validation is enough and seeing pure HTML code in the database is like a nightmare for me. 

 

 

So I want to add second security step and escape the input from the back office description field  before storing it  again in the database, but I am unable to find the proper code and add htmlentities before prestashop stores it in database.

 

Could someone point me to the right peace of code or advise me how to do it?

 

Many thanks in advance.

 

 

[bellini13]

Why is having "Pure html code" in the database a nightmare for you? 

[orion_1988]

XSS, SQL injection

 

not that htmlentities() will help in such cases, but it will minimize the risk.

 

Sooo, can anyone point me to the right peace of code?

[orion_1988]

someone?