CodeIgniter Forums

Full Version: is xss_clean still a good practice to validate form
You're currently viewing a stripped down version of our content. View the full version with proper formatting.

I'm using CodeIgniter 3.1.11, and in order to validate a form against xss, I use something like that:

$this->form_validation->set_rules('first_name', 'First Name', 'trim|required|xss_clean');

in the autoload.php, I load the security helper:

$autoload['helper'] = array('url', 'form', 'security');

I checked on the doc online, but I didn't see the xss_clean in the form_validation section:

I found some solutions online that using this practice: xss_clean but the solutions are pretty old, from 2015...
I said maybe this option is deprecated,

Thank You for help
This is usually not used on forms I am using: html_escape() in views and in database queries: escape()
There isn't an "xss_clean" rule in CI v3 like there was in previous versions. You should remove that from your rules. You will probably find this comment in the Upgrading from 2.2x to 3.0.x instructions to be very interesting.

CI v3 has  an xss_clean() function in the Security Class. And there is the same function in the security helper. (It actually calls the Security class method.)

Also, check out the Input Class which makes it easy to run POST and GET data through the xss_clean function.

But you really ought to do some research on what is considered best practice for avoiding XSS attacks. The xss_clean function isn't really viable these days.
Here is a good read on it by Google.

Google Application Security - Cross-site scripting