Login

***Narf*** · 05-27-2015, 09:16 AM

(05-26-2015, 09:20 AM)sparky672 Wrote: The online documentation for "XSS Filtering" here...

http://www.codeigniter.com/user_guide/li...-filtering

says this:

Quote:If you want the filter to run automatically every time it encounters POST or COOKIE data you can enable it by opening your application/config/config.php file and setting this:

Code:
$config['global_xss_filtering'] = TRUE;

However, when I go to the config.php file and look at this section, I see the following comments:

Quote:
Code:
| WARNING: This feature is DEPRECATED and currently available only | for backwards compatibility purposes!

So if it's deprecated, shouldn't the online documentation also state this and explain more about it?

It shouldn't mention it at all on that page ... https://github.com/bcit-ci/CodeIgniter/c...0bb8c52f05

(05-26-2015, 09:20 AM)sparky672 Wrote: Since the online documentation is missing this information, what is the best practice for global XSS filtering on a new project? Don't use it (because it's deprecated)? Do something else? Do nothing? Stick with per-item processing? What?

Use xss_clean() when outputting user-supplied data, or let a templating engine like Twig do that for you - IMO, automatic XSS escaping are the only thing templating engines are useful for anyway ...