+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: Using CodeIgniter (https://forum.codeigniter.com/forumdisplay.php?fid=5)
+--- Forum: General Help (https://forum.codeigniter.com/forumdisplay.php?fid=24)
+--- Thread: Question about CI XSS filter and HTMLPurifier (/showthread.php?tid=61933)
Question about CI XSS filter and HTMLPurifier - Mel9pr - 06-01-2015
I use tinymce on my textarea input forms to make easy to add basic things like links, formated text, colored text and so on.
Because we are not suppose to use CI XSS filter on the input but on the output instead I do something like this to output textarea data;
Code:
$textarea_data = $this->security->xss_clean($textarea_data_from_database);
echo $text_area_data;Because I am worry about MySql injections I use HTMLPurifier to input textarea data like this:
Code:
$input_textarea_data = html_purify($this->input->post($input_textarea_data));because I can not use CI input validation with a WYSIWYG editor (Am I right?) so I use HTMLPurifier instead.
My questions are...
Could CI XSS filter alter or neutralize HTMLPurifier's protection?
or
Must I avoid CI XSS filter to output HTMLPurifier filtered data?
Thanks!
RE: Question about CI XSS filter and HTMLPurifier - gadelat - 06-01-2015
You clearly don't properly understand XSS and SQL injections. They are separate things. What you are doing now is applying xss filter for both input and output, so you are escaping data twice - you are going to have a bad time if you do this. Instead, you should use xss filter on output and on input use CI's query builder and/or prepared statements.
Quote:because I can not use CI input validation with a WYSIWYG editor (Am I right?) so I use HTMLPurifier instead.I don't see a reason why you can't use normal validation. WYSIWYG editor sends data as a normal form data.