A security question about xss_clean

A security question about xss_clean - Printable Version

+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: Archived Discussions (https://forum.codeigniter.com/forumdisplay.php?fid=20)
+--- Forum: Archived Development & Programming (https://forum.codeigniter.com/forumdisplay.php?fid=23)
+--- Thread: A security question about xss_clean (/showthread.php?tid=21753)

A security question about xss_clean - El Forum - 08-19-2009

[eluser]Zorancho[/eluser]
Hi to all.
I have one security question about the xss_clean function in CI. I know if global xss filter is set to true in the config file it will automatically clean all $_GET, $_POST and $_COOKIE data, but what about when i want to have safe output. I am using this function in my helper and i have global xss filtering turned to TRUE in the config.

Code:
function safe_output($value)

{

    $value = xss_clean($value);

    $value = mb_convert_encoding($value, 'UTF-8', 'UTF-8');

    $value = htmlentities($value, ENT_QUOTES, 'UTF-8');

    return $value;

}

Is this a good practice to do it or just a waste of time?

A security question about xss_clean - El Forum - 08-20-2009

[eluser]Skuja[/eluser]
If your input has been safe, why do you think that the output wont be ? If you do not want to break any html structure, just use htmlspecialchars() on output.