• 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
About security->xss_clean() function

#1
Hello, 
I would like to ask a question.
In Codeigniter 3, we have security->xss_clean() function.
What is an alternative for it?
Reply

#2
well i will kick this off on the basis of "discussion" only and different approaches for CI4
I have a particular problem in that I have a light CMS system where admin once logged in can create a blog and then also edit blogs.

That means I have to allow either that they will type in <p>  </p> ' etc and limit issues and damage by possible injection.
The edit of a blog is done by a form which you can't in theory access unless logged in. The form has <?= csrf_field() ?> in it etc so in theory whats posted should get to the controller that processes it,unless its by admin.

I've played with it ,used htmlentities() etc and then had to look at ignore flags since on a second edit ' might still be there. I've read that some chars are bad and some say <> is ok .

I've had html tags like <br> bet through to the view but not be parsed. The best approach i've come up with so far is the regex pattern

Code:
$allButBadChars='/[^#;<>\/&a-zA-Z0-9\s]\+/';

what that regex says when used with preg_replace  is don't remove alphabet a-z , nor A-Z nor 0-9 nor < > / ; white space & but remove eg ` ' " {} etc 

then i use preg_replace($this->allButBadChars, '', $input);
//i replace all to be removed with blank space


where $input is textfield from form input (form an admin)

basically it will allow html tags like <br> <p> </p> through and also
Code:
double quote , single quote as html entities
i'm still still thinking and working on it.

there is also use of esc() but it gave some problem

should be interesting other approaches
Reply

#3
Thank you
Reply

#4
There is also a escape-function. Callable everywhere in your appliction.

esc($string)
Reply


Digg   Delicious   Reddit   Facebook   Twitter   StumbleUpon  


  Theme © 2014 iAndrew  
Powered By MyBB, © 2002-2020 MyBB Group.