Login

zoé · 12-14-2016, 07:32 AM

(04-05-2015, 11:32 PM)casa Wrote: to answer concisely and effectively : $config['global_xss_filtering'] = TRUE is deprecated and just to assure interdependence between versions of CI.
Instead Use :
- $this->security->xss_clean($data) ; // on each data. NO need to load the class Security
// you can see $this->input->post($v, TRUE) or $this->input->get('some_data', TRUE);
// (http://www.codeigniter.com/userguide3/li...-filtering)
- or xss_clean($data) and before load security helper for using this function

have a good day.

Hi,
ok XSS is deprecated on Input.
So, if i well understand, if someone write something like <script>alert('hello')</script> in an input field, it will be recorded in the database. No problem. Could be usefull for later identification.
But in this case, where to apply XSS protection (htmlspecialchars, strip_tags, other ?) to avoid the script alert ? : in the controller or in the view ? thinking of ajax response, i think it's better in controller, no ?

Or perhaps i missunderstood something about the way CI protect against XSS (Sure i don't speak about input validation)

thanks.