+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: Using CodeIgniter (https://forum.codeigniter.com/forumdisplay.php?fid=5)
+--- Forum: Libraries & Helpers (https://forum.codeigniter.com/forumdisplay.php?fid=11)
+--- Thread: is xss_clean still a good practice to validate form (/showthread.php?tid=74739)
is xss_clean still a good practice to validate form - Halim - 10-31-2019
Hello,
I'm using CodeIgniter 3.1.11, and in order to validate a form against xss, I use something like that:
$this->form_validation->set_rules('first_name', 'First Name', 'trim|required|xss_clean');
in the autoload.php, I load the security helper:
$autoload['helper'] = array('url', 'form', 'security');
I checked on the doc online, but I didn't see the xss_clean in the form_validation section:
https://codeigniter.com/user_guide/libraries/form_validation.html
I found some solutions online that using this practice: xss_clean but the solutions are pretty old, from 2015...
I said maybe this option is deprecated,
Thank You for help
RE: is xss_clean still a good practice to validate form - website - 10-31-2019
This is usually not used on forms I am using: html_escape() in views and in database queries: escape()
RE: is xss_clean still a good practice to validate form - dave friend - 10-31-2019
There isn't an "xss_clean" rule in CI v3 like there was in previous versions. You should remove that from your rules. You will probably find this comment in the Upgrading from 2.2x to 3.0.x instructions to be very interesting.
CI v3 has an xss_clean() function in the Security Class. And there is the same function in the security helper. (It actually calls the Security class method.)
Also, check out the Input Class which makes it easy to run POST and GET data through the xss_clean function.
But you really ought to do some research on what is considered best practice for avoiding XSS attacks. The xss_clean function isn't really viable these days.
RE: is xss_clean still a good practice to validate form - InsiteFX - 11-01-2019
Here is a good read on it by Google.
Google Application Security - Cross-site scripting