CodeIgniter Forums

Full Version: About security->xss_clean() function
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
Hello, 
I would like to ask a question.
In Codeigniter 3, we have security->xss_clean() function.
What is an alternative for it?
well i will kick this off on the basis of "discussion" only and different approaches for CI4
I have a particular problem in that I have a light CMS system where admin once logged in can create a blog and then also edit blogs.

That means I have to allow either that they will type in <p>  </p> ' etc and limit issues and damage by possible injection.
The edit of a blog is done by a form which you can't in theory access unless logged in. The form has <?= csrf_field() ?> in it etc so in theory whats posted should get to the controller that processes it,unless its by admin.

I've played with it ,used htmlentities() etc and then had to look at ignore flags since on a second edit ' might still be there. I've read that some chars are bad and some say <> is ok .

I've had html tags like <br> bet through to the view but not be parsed. The best approach i've come up with so far is the regex pattern

Code:
$allButBadChars='/[^#;<>\/&a-zA-Z0-9\s]\+/';

what that regex says when used with preg_replace  is don't remove alphabet a-z , nor A-Z nor 0-9 nor < > / ; white space & but remove eg ` ' " {} etc 

then i use preg_replace($this->allButBadChars, '', $input);
//i replace all to be removed with blank space


where $input is textfield from form input (form an admin)

basically it will allow html tags like <br> <p> </p> through and also
Code:
double quote , single quote as html entities
i'm still still thinking and working on it.

there is also use of esc() but it gave some problem

should be interesting other approaches
Thank you
There is also a escape-function. Callable everywhere in your appliction.

esc($string)