CodeIgniter Forums
Codeigniter Sanitisation Practices - Printable Version

+- CodeIgniter Forums (
+-- Forum: Using CodeIgniter (
+--- Forum: General Help (
+--- Thread: Codeigniter Sanitisation Practices (/showthread.php?tid=71345)

Codeigniter Sanitisation Practices - PierceMcGeough - 08-02-2018

I am looking into the best standard for sanitising content in Codigniter using Smarty templating system

Looking at the documentation we are told to do sanitisation on the output instead of the input.

Different articles say to use html_escape() and use it late, just before the output, but I can see pros and cons to doing it early and late.

Using it late just before smarty parsing can cause some issues with built strings such as an address on multi lines using a <br>.
Even later after smarty parse can also cause probems with default text i.e. {$|default:'<i>Not set</i>'}.
You cannot use the nofilter option here because the $ could be malicious.
This is good because it will catch all output data including model setter/getters and raw query results

Looking at doing the sanitizing at the earliest possible point (upon retrieving from the database)
Early in the getters 
PHP Code:
return html_escape($this->_address1); 

or set from array

PHP Code:
if (isset($data['address1']))
    $this->_address1 html_escape($data['address1']);

This would mean any built strings would be sanitised. Such as a multi-line address with a malicious script inserted.
123 Street,

While this will work on all model views it will not catch the result queries which in turn will need to be sanitised.

What do you feel is the best standard for efficient sanitation.

RE: Codeigniter Sanitisation Practices - jreklund - 08-02-2018

I'm escaping it with smarty instead, as html_escape are just an alias for htmlspecialchars.

Inside href tags I use:

For everything else (except src, those need strict XSS protection):

New lines to <br>:

You should use a input validation too. So that you filter for just a-Z or what you need. So that you don't accept <script>