| global_xss_clean |
So I'm setting up a site using 3.1.0, I've set one up using CI 3.0.0 in the past, and I noticed that in the config it says global_xss_clean is deprecated. Is XSS cleaning going away in completely or just global_xss_clean will there be global sanitation?
Basically, what I'm asking is how will this affect CI once it's removed entirely?
Hi,
I cannot speak officially for CI, but I believe the plan is relatively simple. That is to move the concept of the sort of sanitation that xss_clean represents to output rather than on input. So the idea of filtering all post variables on input is a little bit mute now. Hence global xss_clean is deprecated. xss_clean itself as a function will not be going. For me it was a real shift in processing, and at first I really could not get my head around why you would not sanitize on input (nothing to do with validation), but it does make sense, it does seem to be accepted good practice, and I have got used to the idea now, and yes it does mean better security for you and your users. As for global output filtering in CI4, I don't know if this will be a feature or not. What it means for CI is that CI is adopting a more modern methodology for sanitation. That you need to be more careful about what you are pumping out to the user, rather than just blindly assuming everything you get from a model or a database query is safe, because you didn't allow anything unsafe in. That is a dangerous approach because you never know what sneaked into your data, or who is manipulating it. So if you send data to a user, sanitize it before it gets sent to a view. I hope that helps, I am no expert on this at all, but it did cause me quite a bit of head scratching for a while too. Best wishes, Paul
(08-29-2016, 06:23 PM)PaulD Wrote: Hi, Yeah, it does make sense that it's not form validation. I wasn't sure if they were removing sanitizing altogether or not. Thanks for the input. 
Global xss_clean is very heavy, your better off just using it on your inputs.
Just add TRUE to the last parameter on your inputs. . What did you Try? What did you Get? What did you Expect?
Joined CodeIgniter Community 2009. ( Skype: insitfx )
If you are worried about the performance you should cache the output after you have xss_cleaned the output. It's bad advice to use it on input! Read the 3.x manual about this issue. As Paul explained, at first it can feel a bit strange (because you dont want to store any xss shit in your database) but it does make alot of sense.
Consider somewhere in the future there is some new bug where some xss script gets past the xss_cleaned function and you already have been exploited before there is a security update about CI. If you xss_clean the input (as you suggest) you must manually check your database to remove the exploits. If you filter your output on the other hand, your site is immediately fixed after you have updated CI. https://www.codeigniter.com/user_guide/l...input.html
Thats a really good point.
Another reason not to xss_clean is that it can cause problems like this too: Someone inputs this into a field. PHP Code: $test = 'Hello<script>'; The field has the following rules: PHP Code: $this->form_validation->set_rules('test', 'Test Field', 'max_length[13]|xss_clean'); The data passes validation. Then xss_clean changes it to PHP Code: Hello[removed] Now presuming your database will only accept a string of 13 characters, this string that passed your validation but it is now 14 characters long, will fail a database write. The same can happen if you use htmlentities on your input too. But that might be thought of as a silly example, but Diederik answer was much more likely to occur and is much more relevant. Best wishes, Paul PS I run the xss_clean on most output (not my own internally generated fields like dates or id codes) without any noticeable slowing in my sites. I also use htmlentities on the echoed fields in the views too. I find it quite funny when people don't and a </div> in a field breaks their site. |
| Welcome Guest, Not a member yet? Register Sign In |
