+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: Using CodeIgniter (https://forum.codeigniter.com/forumdisplay.php?fid=5)
+--- Forum: Best Practices (https://forum.codeigniter.com/forumdisplay.php?fid=12)
+--- Thread: About security (XSS, CSRF, etc) (/showthread.php?tid=1337)
About security (XSS, CSRF, etc) - geekita - 03-01-2015
With this commit
https://github.com/bcit-ci/CodeIgniter/commit/9187ed3516ba403d09fc88ebcf6ead7364f75c4d
I see that $config['global_xss_filtering'] is now deprecated and '... XSS filtering should not be done on input data, but on output instead.'.
But what really means 'output'? What if I just need to log user input into a file or database and I want it to be as clean as possible?
What are the golden rules about protection against attacks like XSS, CSRF, etc. using CI 3?
RE: About security (XSS, CSRF, etc) - Narf - 03-01-2015
It's very simple - XSS is a browser attack, therefore if something isn't displayed in a browser, don't do XSS escaping on it.
RE: About security (XSS, CSRF, etc) - geekita - 03-01-2015
(03-01-2015, 08:41 AM)Narf Wrote: It's very simple - XSS is a browser attack, therefore if something isn't displayed in a browser, don't do XSS escaping on it.
Thanks, I've found this interesting article which clarifies a bit
http://lukeplant.me.uk/blog/posts/why-escape-on-input-is-a-bad-idea/
RE: About security (XSS, CSRF, etc) - twpmarketing - 03-01-2015
(03-01-2015, 09:16 AM)geekita Wrote: ...
Thanks, I've found this interesting article which clarifies a bit
http://lukeplant.me.uk/blog/posts/why-escape-on-input-is-a-bad-idea/
#geekita, Thank you for the link to the article on escaping data, it answered my own questions, in detail.