(08-29-2016, 06:23 PM)PaulD Wrote: Hi,
I cannot speak officially for CI, but I believe the plan is relatively simple. That is to move the concept of the sort of sanitation that xss_clean represents to output rather than on input. So the idea of filtering all post variables on input is a little bit mute now. Hence global xss_clean is deprecated. xss_clean itself as a function will not be going.
For me it was a real shift in processing, and at first I really could not get my head around why you would not sanitize on input (nothing to do with validation), but it does make sense, it does seem to be accepted good practice, and I have got used to the idea now, and yes it does mean better security for you and your users.
As for global output filtering in CI4, I don't know if this will be a feature or not. What it means for CI is that CI is adopting a more modern methodology for sanitation. That you need to be more careful about what you are pumping out to the user, rather than just blindly assuming everything you get from a model or a database query is safe, because you didn't allow anything unsafe in. That is a dangerous approach because you never know what sneaked into your data, or who is manipulating it. So if you send data to a user, sanitize it before it gets sent to a view.
I hope that helps, I am no expert on this at all, but it did cause me quite a bit of head scratching for a while too.
Best wishes,
Paul
Yeah, it does make sense that it's not form validation. I wasn't sure if they were removing sanitizing altogether or not. Thanks for the input.
