+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: Using CodeIgniter (https://forum.codeigniter.com/forumdisplay.php?fid=5)
+--- Forum: Best Practices (https://forum.codeigniter.com/forumdisplay.php?fid=12)
+--- Thread: filter input - escape output (/showthread.php?tid=65261)
filter input - escape output - edoramedia - 05-22-2016
In theory I completely understand what is being said here and how we should not manipulate the data that is saved in the database (hence why xss_clean has been depreciated from the form validation); however can someone please explain it in the below example:
We have a login page with:
email: _________
password: _________
How do I make sure that that XSS attach does not happen here? In other words how do I escape the output? or what should I do in terms of filtering the input?
RE: filter input - escape output - kenjis - 05-22-2016
What's your output?
RE: filter input - escape output - edoramedia - 05-22-2016
(05-22-2016, 02:01 AM)kenjis Wrote: What's your output?
Output is basically user details according to the email/password combo which is then stored in a SESSION.
RE: filter input - escape output - kenjis - 05-22-2016
Basically you escape the output with using `html_escape()` in your view files.
https://www.codeigniter.com/userguide3/helpers/form_helper.html#escaping-field-values
It is an alias for `htmlspecialchars()`.
But in some places, using `html_escape()` is not enough.
See https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet#XSS_Prevention_Rules_Summary
RE: filter input - escape output - ivantcholakov - 05-22-2016
In addition to the existing function html_escape() I've got functions for escaping in other contexts:
Code:
// Escapers
// html_escape() already has been implemented.
if (!function_exists('html_attr_escape')) {
function html_attr_escape($string) {
$twig = & _get_simple_twig_instance();
return call_user_func($twig->getFilter('escape')->getCallable(), $twig, $string, 'html_attr');
}
}
if (!function_exists('js_escape')) {
function js_escape($string) {
$twig = & _get_simple_twig_instance();
return call_user_func($twig->getFilter('escape')->getCallable(), $twig, $string, 'js');
}
}
if (!function_exists('css_escape')) {
function css_escape($string) {
$twig = & _get_simple_twig_instance();
return call_user_func($twig->getFilter('escape')->getCallable(), $twig, $string, 'css');
}
}
if (!function_exists('url_escape')) {
function url_escape($string) {
$twig = & _get_simple_twig_instance();
return call_user_func($twig->getFilter('escape')->getCallable(), $twig, $string, 'url');
}
}
if (!function_exists('_get_simple_twig_instance')) {
function & _get_simple_twig_instance() {
static $instance = null;
if (!isset($instance)) {
$instance = new Twig_Environment(
new Parser_Twig_Loader_String,
array(
'debug' => false,
'charset' => config_item('charset'),
'base_template_class' => 'Twig_Template',
'strict_variables' => false,
'autoescape' => 'html',
'cache' => false,
'auto_reload' => null,
'optimizations' => -1,
)
);
}
return $instance;
}
}
// End EscapersI use the internal escapers of Twig because I already have it. But it is not necessary you to install Twig in your system, you can easily rewrite the bodies of these helper functions by using the small component Zend\Escaper https://github.com/zendframework/zend-escaper It has the same routines inside, install it with Composer.
RE: filter input - escape output - cartalot - 05-22-2016
Note that in the first link that Kenjis cited - that for echoing out a value in a form field - you don't have to use that function IF you are using the Codeigniter form helper. The form helper makes it much faster to build out form fields, and having that security there automatically is also a big plus.