CodeIgniter Forums
questions about security implemented in CI4 (or who will be implemented) - Printable Version

+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: CodeIgniter 4 (https://forum.codeigniter.com/forumdisplay.php?fid=28)
+--- Forum: CodeIgniter 4 Discussion (https://forum.codeigniter.com/forumdisplay.php?fid=31)
+--- Thread: questions about security implemented in CI4 (or who will be implemented) (/showthread.php?tid=67086)



questions about security implemented in CI4 (or who will be implemented) - casa - 01-13-2017

Hye.
I have some questions about security implemented in CI4 or perhaps will be implemented in CI4.

# Does CI4 will implement all the security that CI3 provides (like $this->input->post($var, true)) or more ?
Or does it already implement it ? (against sql injection, xss attack, etc.).
I see against csrf on documentation. I know that all documentation isn't written but i would like to know if in the roadmap all of this is provided.

# Or, will it be necessary to create our own necessary filters switch case ? (handmade with filter_vars for example)

Thank you for your answer.


RE: questions about security implemented in CI4 (or who will be implemented) - kilishan - 01-13-2017

Most of the same security features from CI are already in CI4, with a couple of extras thrown in. The notable missing feature is xss_clean. I'll give a quick list and hopefully won't miss any:

* $request->getPost() and the others allow you to pass in filter_var options
* xss_clean has been removed. The way it was originally built was fragile, and made out to be a "quick fix" for all security needs, which it wasn't. Instead, you'd use the other provided tools depending on where you're sending the data.
* The View libs integrate Zend's awesome Escaper library for output escaping, which allows for correct escaping based on context - is it pure HTML, an attribute, in JS or CSS, etc, while taking document encoding into account. We make this available through the esc() function.
* The html and form libraries will use the esc() function automatically when it creates attributes.
* The CSRF library is largely unchanged from what CI3 had, since it already met OWASP recommendations.
* The database layer still auto-escapes for SQL injections as it always has.
* A new feature, Content Security Policy is built into the Response class because that's becoming a bigger thing in the dev world and can really lock things down from XSS attacks since it's built into the browser.
* It's built into the framework to be able to enforce some/all requests be served on HTTPS.
* A simple request throttler is available if needed that can be easily modified to your needs.
* Looking at replacing the current, mostly ineffective CAPTCHA system, with a fairly advanced honeypot that should be able to run without any user interaction as an additional layer.

I think that's most of what exists in CI4 currently. If I'm missing a piece let me know.