+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: Using CodeIgniter (https://forum.codeigniter.com/forumdisplay.php?fid=5)
+--- Forum: Libraries & Helpers (https://forum.codeigniter.com/forumdisplay.php?fid=11)
+--- Thread: xss_clean in CI 3 (/showthread.php?tid=1192)
xss_clean in CI 3 - rocks - 02-17-2015
I am wondering if xss_clean deprecated or terminated in CI 3.0.0 ?
I've used for a while in my form validation.
PHP Code:
$this->form_validation->set_rules('login', 'user', 'trim|required|xss_clean');
Now it throws an error :
Unable to access an error message corresponding to your field name ******
If it's terminated, what is its alternative ?
Thanks
RE: xss_clean in CI 3 - didi01 - 02-17-2015
Hi,
please check autoloading the security helper. I had the same Problem few weeks ago and this was the solution.
Regards
Dieter
RE: xss_clean in CI 3 - Avenirer - 02-18-2015
xss_clean is no longer part of form validation. The alternative is not to use it, as xss_clean is doing sanitization and not validation.
xss_clean is part of security helper. If you need to do it, after validation you do a:
$this->load->helper('security');
$value = $this->input->post('formvalue', TRUE); // ...where TRUE enables the xss filtering
... i think...
Also, you can enable global xss filtering in the config.php file:
$config['global_xss_filtering'] = TRUE;
RE: xss_clean in CI 3 - Narf - 02-18-2015
You should've read the upgrade instructions or at least searched the forum topics to see if the question hasn't already been answered here (it was, multiple times).
(02-18-2015, 12:16 AM)Avenirer Wrote: xss_clean is no longer part of form validation. The alternative is not to use it, as xss_clean is doing sanitization and not validation.
xss_clean is part of security helper. If you need to do it, after validation you do a:
$this->load->helper('security');
$value = $this->input->post('formvalue', TRUE); // ...where TRUE enables the xss filtering
... i think...
Also, you can enable global xss filtering in the config.php file:
$config['global_xss_filtering'] = TRUE;
Please don't recommend 'global_xss_filtering'. That is a bad solution, even worse than manually applying xss_clean on individual inputs.
RE: xss_clean in CI 3 - Avenirer - 02-18-2015
@Narf Well... I did mention that xss_clean is not for validation
RE: xss_clean in CI 3 - twpmarketing - 02-18-2015
@Narf
Since you don't "recommend" using xss_clean() on form input, how or where, exactly, do you suggest to perform this kind of cleaning?
RE: xss_clean in CI 3 - Narf - 02-18-2015
(02-18-2015, 08:56 AM)twpmarketing Wrote: @Narf
Since you don't "recommend" using xss_clean() on form input, how or where, exactly, do you suggest to perform this kind of cleaning?
What is the opposite of input?
No offense, but you should really start paying at least a little attention to detail. This is an essential skill in programming.
My last exchange with you was in relation to something that was already resolved and you copy-pasted the linked information, to which I expressed my annoyance. In your private message following that, you argued that me linking the relevant information instead of writing an in-thread answer was "obfuscation". You did do it in a polite manner though - saying this just to avoid misunderstandings, I'm not trying to make you look bad.
I am equally annoyed now.
Yes, this is a forum board and many people will come here seeking answers. That is all fine for complex, non-standard or otherwise non-obvious problems. But why would we write documentation if we were to repeatedly answer the same questions? We should educate our users to read the documentation, where the (quite obvious) answer to your question is explained.
Please take a note of this.
RE: xss_clean in CI 3 - rocks - 02-18-2015
(02-18-2015, 02:22 AM)Narf Wrote: Please don't recommend 'global_xss_filtering'. That is a bad solution, even worse than manually applying xss_clean on individual inputs.
The thing is, I don't see where the documentation stated usage of xss_clean is bad. And for sure, it did not state turning on 'global_xss_filtering' bad either. Maybe I am reading wrong documentation, or maybe I wasn't in the right section.
Please feel free to point me there...
RE: xss_clean in CI 3 - Narf - 02-18-2015
(02-18-2015, 01:49 PM)rocks Wrote:(02-18-2015, 02:22 AM)Narf Wrote: Please don't recommend 'global_xss_filtering'. That is a bad solution, even worse than manually applying xss_clean on individual inputs.
The thing is, I don't see where the documentation stated usage of xss_clean is bad. And for sure, it did not state turning on 'global_xss_filtering' bad either. Maybe I am reading wrong documentation, or maybe I wasn't in the right section.
Please feel free to point me there...
http://www.codeigniter.com/userguide3/installation/upgrade_300.html#step-13-check-for-usage-of-the-xss-clean-form-validation-rule
Though, indeed, it doesn't say anything about global_xss_filtering, I should add that.
RE: xss_clean in CI 3 - casa - 04-05-2015
to answer concisely and effectively : $config['global_xss_filtering'] = TRUE is deprecated and just to assure interdependence between versions of CI.
Instead Use :
- $this->security->xss_clean($data) ; // on each data. NO need to load the class Security
// you can see $this->input->post($v, TRUE) or $this->input->get('some_data', TRUE);
// (http://www.codeigniter.com/userguide3/libraries/input.html?highlight=xss#xss-filtering)
- or xss_clean($data) and before load security helper for using this function
have a good day.