XSS_Clean filters no php tags |
Hello @ll,
my Problems and Questions: 1. Problem Input "<?php ?> <script>" in "recipients" field. PHP Code: //validate form input The Return is "<?php ?> [removed]". But why not filtering the PHP-Tags? In User-Gguide Stands: xss_clean() does this automatically, if you use it. A Question: Why not first Filtering and then Callback? This is not the better Way? Sry, for my English. I'm from Germany Thank you for yours Help.
Hi,
I can't answer all your questions but I think the php tags will now be html entities following xss_clean. Also, I don't think xss_clean is a form validation rule, it is a function you perform on data. http://www.codeigniter.com/user_guide/li...-reference Hope that helps, Best wishes, Paul.
Hi Paul,
thanks for your Answer. Was very helpful. But , I think the better way would be... Filtering and then Callback
If your callback does xss_clean() and you have xss_clean in your rules, you're passing the same data through xss_clean() twice, so the resulting output is going to be questionable anyway. The xss_clean() method replaces <? with <?. The pre element in HTML does not prevent the browser from decoding the HTML entities.
For the most part, the rules will be run in the order you specified. Please read the upgrade note on using xss_clean as a form validation rule and the note in the documentation of the Input class. xss_clean() should not be used on input, it should only be used when outputting data to HTML. |
Welcome Guest, Not a member yet? Register Sign In |