Lost about XSS protection |
Hi,
as xss_clean in Input is deprecated, and as it seems that it's a best practice to Validate Input and Sanitize Output, i'm in trouble with the correct way in CI (meaning in MVC structure). Hypothese 1 :
So the second hypothese is :
Is there another way ? CI Documentation is very poor on his part of security. Thanks.
Hmmm....
My opinion says: + puts unmodified data to the DB + xss_clean on every output datas in controllers (e.g. when user sends page and this page returns with user's errors) + use html_clean() on input values in views Why do you say "do not use htmlspecialchars or strip_tags in views"?? (12-14-2016, 08:55 AM)wishmaster Wrote: Hmmm.... Thanks for answer. I said "do not use htmlspecialchars..." in this hypothese cause it's break some codes. Get this sample : Code: with $test = "Hello this is a message <script>alert('here is my alert')</script>";
UP.
I realize that if we have to sanitize output in Controller, when i have multiple records i have to loop foreach record and then foreach datas in the array or in the objet for apply xss_clean. Hum, not really good for performances, as i will have todo the same loop in the view for display. So perhaps it could be more efficient to xss_clean at Input and have clear datas in Database. even if I've read too that it was good practice to clean output instead of input. (12-14-2016, 08:32 AM)zoé Wrote: Hypothese 1 : 1. Validate inputs. 2. Do only xss_clean() at the point where you generate HTML. No htmlspecialchars(). If you want to use strip_tags() for whatever reason - do it before xss_clean(). Do your APIs return HTML that is to be directly displayed? Then sanitize there. Do they return data that is later turned into HTML? Then sanitize in views. (12-14-2016, 08:55 AM)wishmaster Wrote: Hmmm.... If the data is already sanitized, don't do html_clean() (whatever that is) on it again. Once is just enough, more than once breaks your data. (12-14-2016, 08:55 AM)wishmaster Wrote: Why do you say "do not use htmlspecialchars or strip_tags in views"?? Because if it's already sanitized in a controller (which probably shouldn't be the case, but that's another story), applying htmlspecialchars() on it again will result in double encoding; i.e. breaking the data. (12-14-2016, 09:23 AM)zoé Wrote: UP. Efficiency is not the point; security is. This is one of the reasons why security is hard - it is often at odds with a developer's natural instincts; you can't put it on rails. If you care about efficiency more than security, what you get is vulnerabilities. |
Welcome Guest, Not a member yet? Register Sign In |