Issue with CI XSS option - Convert html entity string |
I never use the XSS filter in CodeIgniter.
Because I don't believe it is safe. Do you know how many times there were vulnerabilities in it in the past? (But I think it is getting safer than ever.) Because it changes input data with very complex rules. I can't predict the output. And it changes input data permanently. I can't get the raw data after filtering with it. I use html_escape() in views. It is a CodeIgniter helper for using htmlspecialchars(). https://www.codeigniter.com/userguide3/g...tml_escape But it is not also perfect. If you want input data to include specific HTML tags, you can't use it. In that case, I use HTML Purifier http://htmlpurifier.org/. If you want to output input data in danger parts like inside <script> elements, the places you can write URLs, it can't prevent from XSS attack perfectly. I recommend you not output user data in danger parts in views. |
Welcome Guest, Not a member yet? Register Sign In |