CodeIgniter Forums
CodeIgniter XSS Protection is good, but not enough by itself. - Printable Version

+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: Archived Discussions (https://forum.codeigniter.com/forum-20.html)
+--- Forum: Archived General Discussion (https://forum.codeigniter.com/forum-21.html)
+--- Thread: CodeIgniter XSS Protection is good, but not enough by itself. (/thread-34043.html)



CodeIgniter XSS Protection is good, but not enough by itself. - El Forum - 09-16-2010

[eluser]Unknown[/eluser]
Guys.. you need to read this link and please reply back here.

The author claim that CI internal XSS filter is not strong enough to combat the issue.

I don't know about this since I'm not too 'advance' in CI. Maybe you can share your thought about it.


CodeIgniter XSS Protection is good, but not enough by itself. - El Forum - 09-16-2010

[eluser]danmontgomery[/eluser]
When it comes to security, nothing is enough by itself.


CodeIgniter XSS Protection is good, but not enough by itself. - El Forum - 09-16-2010

[eluser]WanWizard[/eluser]
Read it. And find it of limited use.

None of the examples given pose a thread in itself. Whether or not a string is a thread, depends on where you use it. "FORMAT C:" is a totally innocent string. Unless typed in on the commandline of a Windows box.
The examples used 'could' be a thread if you echo the post variable back as part of an HTML tag. How likely is that, for anyone with a bit of common sense?

And, since the article was published only a few weeks ago, he could have checked 2.0 as well. Which would have revealed that the XSS clean functionality has been completely rewritten, which includes, amongst others, encoding.

I agree with Jelmers response to the article that global xss cleaning is often unnecessary, or even unwanted, and that you should always be conscious about the possible security issues with the application your building. And act upon that.