![]() |
Are there any security issues I need to worry about jquery-ui-autocomplete working with get array enabled - Printable Version +- CodeIgniter Forums (https://forum.codeigniter.com) +-- Forum: Archived Discussions (https://forum.codeigniter.com/forumdisplay.php?fid=20) +--- Forum: Archived Development & Programming (https://forum.codeigniter.com/forumdisplay.php?fid=23) +--- Thread: Are there any security issues I need to worry about jquery-ui-autocomplete working with get array enabled (/showthread.php?tid=40303) |
Are there any security issues I need to worry about jquery-ui-autocomplete working with get array enabled - El Forum - 04-05-2011 [eluser]edjon2000[/eluser] Hello all After several weeks of struggling I have finally managed to get the jquery ui autocomplete widget working and reading data from a mysql database however I have had to enable the get array in ci, do I need to be worried about any security problems. I am using the following jquery-1.5.1.js jquery.ui.core.js jquery.ui.widget.js jquery.ui.position.js jquery.ui.autocomplete.js I am using jquery ui version 1.8.11 CI 2.0.1 with GET array enabled Jon Are there any security issues I need to worry about jquery-ui-autocomplete working with get array enabled - El Forum - 04-05-2011 [eluser]InsiteFX[/eluser] As with any online software. NEVER TRUST USER INPUT! InsiteFX Are there any security issues I need to worry about jquery-ui-autocomplete working with get array enabled - El Forum - 04-05-2011 [eluser]edjon2000[/eluser] Hi InsiteFX thanks for the response I should probably escape the input using Code: $keyword = $this->input->get('term'); Code: $keyword = $_GET['term']; I already have CSRF protection enabled, although I did read elsewhere on this forum that some members were having problems with that I also noticed that a lot of the posted code examples had $AJAX{ ... in the js for the view what was that all about? Jon Are there any security issues I need to worry about jquery-ui-autocomplete working with get array enabled - El Forum - 04-05-2011 [eluser]InsiteFX[/eluser] There is a second parameter to $this->input Code: $keyword = $this->input->get('term', TRUE); // TRUE use the XSS filter InsiteFX Are there any security issues I need to worry about jquery-ui-autocomplete working with get array enabled - El Forum - 04-05-2011 [eluser]InsiteFX[/eluser] Quote:I already have CSRF protection enabled, although I did read elsewhere on this forum that some members were having problems with that I also noticed that a lot of the posted code examples had $AJAX{ ... in the js for the view what was that all about? They are putting the Ajax code in their views, I always put my jQuery code into stand alone files jQuery code does not belong in the view only to load it. If you use files like I do place your scripts at the bottom of the html file just before the closing </body> tag. But load the jQuery and jQuery UI in the head tags. InsiteFX Are there any security issues I need to worry about jquery-ui-autocomplete working with get array enabled - El Forum - 04-05-2011 [eluser]edjon2000[/eluser] [quote author="InsiteFX" date="1302035865"]There is a second parameter to $this->input Code: $keyword = $this->input->get('term', TRUE); // TRUE use the XSS filter InsiteFX[/quote] For now I actually have global XSS filtering enabled and may leave it that way as it doesn't seem to slow the site down much at all (my page load times are below 1 sec after caching so far and actual page execution time is below 0.2 seconds) [quote author="InsiteFX" date="1302036255"] Quote:I already have CSRF protection enabled, although I did read elsewhere on this forum that some members were having problems with that I also noticed that a lot of the posted code examples had $AJAX{ ... in the js for the view what was that all about? They are putting the Ajax code in their views, I always put my jQuery code into stand alone files jQuery code does not belong in the view only to load it. If you use files like I do place your scripts at the bottom of the html file just before the closing </body> tag. But load the jQuery and jQuery UI in the head tags. InsiteFX[/quote] I have most of the code outside the view apart from the following Code: [removed] Although I could probably move that as well, I'm not sure, I am still very new with javascript I find it a difficult language to pick up with the jquery and jquery ui files, I load them dynamically into the header for that page only (it keeps page sizes down) I use a common header and footer throughout the site Jon |