+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: CodeIgniter 4 (https://forum.codeigniter.com/forumdisplay.php?fid=28)
+--- Forum: CodeIgniter 4 Support (https://forum.codeigniter.com/forumdisplay.php?fid=30)
+--- Thread: CI4 - security with Forms (/showthread.php?tid=77011)
CI4 - security with Forms - kilden - 07-11-2020
Hello,
I wonder a lot of things about security with my forms in Codeigniter 4. If someone could enlighten me... ^^
1 Is esc() function useful on Views or only in Controllers ?
2) Is esc() function (or something else) useful when sending an email ? (for preventing loading malware inside email maybe??) ?
3) Is it useful to enable 'csrf' with any form or a strong validation is enough ?
4) What kind of simple captcha would you recommend for bots ? I've tried to install ReCaptcha 3 and 2 without success because issues with Firefox and Apple Safari which doesn't allow loading such external ressource. It told me : "The source list for Content Security Policy directive 'script-src' contains an invalid source: ''strict-dynamic''. It will be ignored."
Thank you for your advices.
RE: CI4 - security with Forms - InsiteFX - 07-11-2020
The rule is FIEO (Filter Input Escape Output).
RE: CI4 - security with Forms - ajmeireles - 07-11-2020
(07-11-2020, 09:35 AM)kilden Wrote: Hello,
I wonder a lot of things about security with my forms in Codeigniter 4. If someone could enlighten me... ^^
1 Is esc() function useful on Views or only in Controllers ?
2) Is esc() function (or something else) useful when sending an email ? (for preventing loading malware inside email maybe??) ?
3) Is it useful to enable 'csrf' with any form or a strong validation is enough ?
4) What kind of simple captcha would you recommend for bots ? I've tried to install ReCaptcha 3 and 2 without success because issues with Firefox and Apple Safari which doesn't allow loading such external ressource. It told me : "The source list for Content Security Policy directive 'script-src' contains an invalid source: ''strict-dynamic''. It will be ignored."
Thank you for your advices.
1. In views
2. I don't know, but I think no.
3. Both. CSRF and valitations to the all posts requisitions.
RE: CI4 - security with Forms - kilden - 07-12-2020
If I use the function esc() in a View, for example in a contact form on a textarea, it will change all special characters and it's not really appropriate. If a visitor write something like " dont't " ,it will change the text into " don't " if there is a validation.
RE: CI4 - security with Forms - jreklund - 07-13-2020
(07-11-2020, 09:35 AM)kilden Wrote: 1 Is esc() function useful on Views or only in Controllers ?
esc() should be applied to the rendered document, with the correct context. So everything in the view should be escaped, that the user can manipulate.
(07-11-2020, 09:35 AM)kilden Wrote: 2) Is esc() function (or something else) useful when sending an email ? (for preventing loading malware inside email maybe??) ?
Only if the content of said email are generated by the user.
(07-11-2020, 09:35 AM)kilden Wrote: 3) Is it useful to enable 'csrf' with any form or a strong validation is enough ?CSRF protection should always be on. With validation.
(07-11-2020, 09:35 AM)kilden Wrote: 4) What kind of simple captcha would you recommend for bots ? I've tried to install ReCaptcha 3 and 2 without success because issues with Firefox and Apple Safari which doesn't allow loading such external ressource. It told me : "The source list for Content Security Policy directive 'script-src' contains an invalid source: ''strict-dynamic''. It will be ignored."
You need to fix your Content Security Policy, usually it's due to the fact that you don't include the hash from external resources in your code.
(07-11-2020, 09:35 AM)kilden Wrote: If I use the function esc() in a View, for example in a contact form on a textarea, it will change all special characters and it's not really appropriate. If a visitor write something like " dont't " ,it will change the text into " don't " if there is a validation.
All form_ have built in esc($value, 'html') applied to the value. Extra have esc($value, 'attr');
https://codeigniter.com/user_guide/helpers/form_helper.html#escaping-field-values