Codeigniter Sanitisation Practices |
I am looking into the best standard for sanitising content in Codigniter using Smarty templating system
Looking at the documentation we are told to do sanitisation on the output instead of the input. https://www.codeigniter.com/user_guide/g...tml_escape Different articles say to use html_escape() and use it late, just before the output, but I can see pros and cons to doing it early and late. Using it late just before smarty parsing can cause some issues with built strings such as an address on multi lines using a <br>. Even later after smarty parse can also cause probems with default text i.e. {$var.name|default:'<i>Not set</i>'}. You cannot use the nofilter option here because the $var.name could be malicious. This is good because it will catch all output data including model setter/getters and raw query results Looking at doing the sanitizing at the earliest possible point (upon retrieving from the database) Early in the getters PHP Code: return html_escape($this->_address1); or set from array PHP Code: if (isset($data['address1'])) This would mean any built strings would be sanitised. Such as a multi-line address with a malicious script inserted. 123 Street, <script>alert('Malicious');</script>, Town County While this will work on all model views it will not catch the result queries which in turn will need to be sanitised. What do you feel is the best standard for efficient sanitation.
I'm escaping it with smarty instead, as html_escape are just an alias for htmlspecialchars.
Inside href tags I use: {$movie->url|htmlspecialchars:2:'UTF-8'|rawurlencode} For everything else (except src, those need strict XSS protection): {$movie->trailer|htmlentities:3:'UTF-8'} New lines to <br>: {$movie->notes|htmlentities:3:'UTF-8'|nl2br} You should use a input validation too. So that you filter for just a-Z or what you need. So that you don't accept <script> |
Welcome Guest, Not a member yet? Register Sign In |