CodeIgniter Forums
XSS Clean in CI4? - Printable Version

+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: CodeIgniter 4 (https://forum.codeigniter.com/forumdisplay.php?fid=28)
+--- Forum: CodeIgniter 4 Support (https://forum.codeigniter.com/forumdisplay.php?fid=30)
+--- Thread: XSS Clean in CI4? (/showthread.php?tid=75338)



XSS Clean in CI4? - ajmeireles - 01-28-2020

Hello, community!

Im start to migrate my plataform to the CI4 and I doesn't find a important functions that I use on CI3 that is xss_clean on POST requisitions. In CI4 what is the similar functions as xss_clean or what is the recommendation to protect POST data?


RE: XSS Clean in CI4? - jreklund - 01-28-2020

XSS_clean should be conspired deprecated. That's a not a recommended practice to rely on. You should filter your inputs AND escape your outputs.

Input:
https://codeigniter4.github.io/userguide/libraries/validation.html
https://codeigniter4.github.io/userguide/incoming/incomingrequest.html#retrieving-input "Filtering Input Data"

Output:
https://codeigniter4.github.io/userguide/outgoing/view_renderer.html#escaping-data
https://codeigniter4.github.io/userguide/outgoing/view_renderer.html#escaping-contexts


RE: XSS Clean in CI4? - ajmeireles - 01-28-2020

(01-28-2020, 12:55 AM)jreklund Wrote: XSS_clean should be conspired deprecated. That's a not a recommended practice to rely on. You should filter your inputs AND escape your outputs.

Input:
https://codeigniter4.github.io/userguide/libraries/validation.html
https://codeigniter4.github.io/userguide/incoming/incomingrequest.html#retrieving-input "Filtering Input Data"

Output:
https://codeigniter4.github.io/userguide/outgoing/view_renderer.html#escaping-data
https://codeigniter4.github.io/userguide/outgoing/view_renderer.html#escaping-contexts

Then the function esc and setVar need be impressed on view template or where for example?


RE: XSS Clean in CI4? - jreklund - 01-28-2020

Input are in your controller*. Output are in your view.

*setVar are called in your controller.


RE: XSS Clean in CI4? - ajmeireles - 01-28-2020

(01-28-2020, 12:32 PM)jreklund Wrote: Input are in your controller*. Output are in your view.

*setVar are called in your controller.

Sorry me, but let me ask showing an example:

In CI3 I clean the post with this method:
$post = $this->security->xss_clean($this->input->post(NULL, TRUE));

This means that all post received by the controller will pass by xss_clean. How I can do something like this on CI4?


RE: XSS Clean in CI4? - dave friend - 01-31-2020

(01-28-2020, 01:05 PM)ajmeireles Wrote: Sorry me, but let me ask showing an example:

In CI3 I clean the post with this method:
$post = $this->security->xss_clean($this->input->post(NULL, TRUE));

This means that all post received by the controller will pass by xss_clean. How I can do something like this on CI4?

There is no xss_clean function for CI4 because that is the wrong way to prevent XSS.

Here's some reading that may explain why the old CI approach is wrong and what you should do instead.

Read the accepted answer to a similar question here.

A readable and reasonably comprehensive blog post.

The very in-depth and astute post Everything You Need to Know About Preventing Cross-Site Scripting Vulnerabilities in PHP