CodeIgniter Forums
xss clean issue - Printable Version

+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: Development (https://forum.codeigniter.com/forumdisplay.php?fid=6)
+--- Forum: Issues (https://forum.codeigniter.com/forumdisplay.php?fid=19)
+--- Thread: xss clean issue (/showthread.php?tid=70262)



xss clean issue - michaelv - 03-15-2018

hello
CI 3.1.5
i have an issue with a form validation +xss_clean,
input string is : route val de soane

$this->form_validation
->set_rules('adresse', 'Adresse', 'required|xss_clean|trim|max_length[255]')...

print_r($_POST['adresse1'])
>route val de soane

print_r($this->input->post('adresse1'))
>routeval de soane

the xss_clean feature remove the space beetwen route & val

any way to avoid this?

sytem/core/Security.php line 448 if i remove 'eval' from the $words array no probleme


RE: xss clean issue - jreklund - 03-15-2018

You shouldn't use xss_clean on input. You should filter the data if you expect only letters.
https://www.codeigniter.com/userguide3/installation/upgrade_300.html#step-13-check-for-usage-of-the-xss-clean-form-validation-rule

Use html_escape on output instead.
https://www.codeigniter.com/user_guide/general/common_functions.html#html_escape


RE: xss clean issue - dave friend - 03-16-2018

The rule 'xss_clean' was removed from CI at version 3.0.0 read this


RE: xss clean issue - michaelv - 03-16-2018

i still have the global xss protection activated


RE: xss clean issue - dave friend - 03-16-2018

Visit the links provided to see why that's not recommended.
Also, read this

In short, don't use the global xss clean

An in-depth and technically dense discussion on XSS prevention can be found HERE