Welcome Guest, Not a member yet? Register   Sign In
Codeigniter Sanitisation Practices
#1
Brick 

I am looking into the best standard for sanitising content in Codigniter using Smarty templating system

Looking at the documentation we are told to do sanitisation on the output instead of the input.
https://www.codeigniter.com/user_guide/g...tml_escape

Different articles say to use html_escape() and use it late, just before the output, but I can see pros and cons to doing it early and late.

Using it late just before smarty parsing can cause some issues with built strings such as an address on multi lines using a <br>.
Even later after smarty parse can also cause probems with default text i.e. {$var.name|default:'<i>Not set</i>'}.
You cannot use the nofilter option here because the $var.name could be malicious.
This is good because it will catch all output data including model setter/getters and raw query results

Looking at doing the sanitizing at the earliest possible point (upon retrieving from the database)
Early in the getters 
   
PHP Code:
return html_escape($this->_address1); 


or set from array


PHP Code:
if (isset($data['address1']))
{
    $this->_address1 html_escape($data['address1']);



This would mean any built strings would be sanitised. Such as a multi-line address with a malicious script inserted.
123 Street,
<script>alert('Malicious');</script>,
Town
County

While this will work on all model views it will not catch the result queries which in turn will need to be sanitised.

What do you feel is the best standard for efficient sanitation.
Reply
#2

(This post was last modified: 08-02-2018, 09:23 AM by jreklund.)

I'm escaping it with smarty instead, as html_escape are just an alias for htmlspecialchars.

Inside href tags I use:
{$movie->url|htmlspecialchars:2:'UTF-8'|rawurlencode}

For everything else (except src, those need strict XSS protection):
{$movie->trailer|htmlentities:3:'UTF-8'}

New lines to <br>:
{$movie->notes|htmlentities:3:'UTF-8'|nl2br}

You should use a input validation too. So that you filter for just a-Z or what you need. So that you don't accept <script>
Reply




Theme © iAndrew 2016 - Forum software by © MyBB