Welcome Guest, Not a member yet? Register   Sign In
CodeIgniter Forums Development Issues Issue with CI XSS option - Convert html entity string
Issue with CI XSS option - Convert html entity string
  • Offline kenjis
    Administrator
  • *******
  • Posts: 3,474
    Threads: 93
    Joined: Oct 2014
    Reputation: 215
#10
03-21-2016, 02:29 PM

I never use the XSS filter in CodeIgniter.
Because I don't believe it is safe. Do you know how many times there were vulnerabilities in it in the past?
(But I think it is getting safer than ever.)
Because it changes input data with very complex rules. I can't predict the output. And it changes input data permanently. I can't get the raw data after filtering with it.

I use html_escape() in views. It is a CodeIgniter helper for using htmlspecialchars().
https://www.codeigniter.com/userguide3/g...tml_escape

But it is not also perfect.
If you want input data to include specific HTML tags, you can't use it. In that case, I use HTML Purifier http://htmlpurifier.org/.

If you want to output input data in danger parts like inside <script> elements, the places you can write URLs, it can't prevent from XSS attack perfectly.
I recommend you not output user data in danger parts in views.
ci-phpunit-test | CodeIgniter Testing Guide | CodeIgniter 3 to 4 Upgrade Helper
Reply


Messages In This Thread
RE: Issue with CI XSS option - Convert html entity string - by kenjis - 03-21-2016, 02:29 PM



Theme © iAndrew 2016 - Forum software by © MyBB