+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: Using CodeIgniter (https://forum.codeigniter.com/forumdisplay.php?fid=5)
+--- Forum: Installation & Setup (https://forum.codeigniter.com/forumdisplay.php?fid=9)
+--- Thread: Online documentation for Global XSS Filtering section (/showthread.php?tid=61864)
Online documentation for Global XSS Filtering section - sparky672 - 05-26-2015
The online documentation for "XSS Filtering" here...
http://www.codeigniter.com/user_guide/libraries/security.html#xss-filtering
says this:
Quote:If you want the filter to run automatically every time it encounters POST or COOKIE data you can enable it by opening your application/config/config.php file and setting this:
Code:$config['global_xss_filtering'] = TRUE;
However, when I go to the config.php file and look at this section, I see the following comments:
Quote:Code:| WARNING: This feature is DEPRECATED and currently available only
| for backwards compatibility purposes!
So if it's deprecated, shouldn't the online documentation also state this and explain more about it?
Since the online documentation is missing this information, what is the best practice for global XSS filtering on a new project? Don't use it (because it's deprecated)? Do something else? Do nothing? Stick with per-item processing? What?
RE: Online documentation for Global XSS Filtering section - Narf - 05-27-2015
(05-26-2015, 09:20 AM)sparky672 Wrote: The online documentation for "XSS Filtering" here...
http://www.codeigniter.com/user_guide/libraries/security.html#xss-filtering
says this:
Quote:If you want the filter to run automatically every time it encounters POST or COOKIE data you can enable it by opening your application/config/config.php file and setting this:
Code:$config['global_xss_filtering'] = TRUE;
However, when I go to the config.php file and look at this section, I see the following comments:
Quote:Code:| WARNING: This feature is DEPRECATED and currently available only
| for backwards compatibility purposes!
So if it's deprecated, shouldn't the online documentation also state this and explain more about it?
It shouldn't mention it at all on that page ... https://github.com/bcit-ci/CodeIgniter/commit/938c7e4e4d874189fec2bec8532ed70bb8c52f05
(05-26-2015, 09:20 AM)sparky672 Wrote: Since the online documentation is missing this information, what is the best practice for global XSS filtering on a new project? Don't use it (because it's deprecated)? Do something else? Do nothing? Stick with per-item processing? What?
Use xss_clean() when outputting user-supplied data, or let a templating engine like Twig do that for you - IMO, automatic XSS escaping are the only thing templating engines are useful for anyway ...
RE: Online documentation for Global XSS Filtering section - sparky672 - 05-27-2015
(05-27-2015, 09:16 AM)Narf Wrote: It shouldn't mention it at all on that page ... https://github.com/bcit-ci/CodeIgniter/commit/938c7e4e4d874189fec2bec8532ed70bb8c52f05
Of course removing it is even better. However for consistency, you might want to scour the CI documentation for everything else that's deprecated so you can remove those too.
(05-27-2015, 09:16 AM)Narf Wrote: Use xss_clean() when outputting user-supplied data ....
Thank-you. I plan on using xss_clean().
RE: Online documentation for Global XSS Filtering section - Narf - 05-27-2015
(05-27-2015, 09:54 AM)sparky672 Wrote:(05-27-2015, 09:16 AM)Narf Wrote: It shouldn't mention it at all on that page ... https://github.com/bcit-ci/CodeIgniter/commit/938c7e4e4d874189fec2bec8532ed70bb8c52f05
Of course removing it is even better. However for consistency, you might want to scour the CI documentation for everything else that's deprecated so you can remove those too.
I did say "on that page" ... it just doesn't belong in there, arguably even if it was not deprecated. That doesn't mean deprecated functionalities should be completely removed from the docs.