Welcome Guest, Not a member yet? Register   Sign In
CodeIgniter Forums Archived Discussions Archived General Discussion turn off global xss on login page
turn off global xss on login page
  • El Forum
    Unregistered
  •  
#5
05-29-2008, 03:23 PM

[eluser]onejaguar[/eluser]
I agree, any user input which will be displayed elsewhere on your site should be put through xss_clean or something similar, but content which is validated in another way (eg. checked with ctype_digit, put through validation's alpha_numeric, valid_email, etc.) does not need to be cleaned; and any data which will not be re-displayed to other users (e.g. passwords) does not need to be cleaned.

Xss_clean is also very blunt in some cases, for instance in this forum typing
"Use this javascript{colon} "
or
"I made a funny facial expression (like I always do)"
gets turned into
"Use this [removed] "
and
"I made a funny facial [removed]like I always do)"

The worst part is, it doesn't show up in the preview so I don't see my post is mangled until after it is submitted.

Also, any HTML content will getting totally destroyed so WYSIWYG HTML editors need other forms of validation anyway.


Messages In This Thread
turn off global xss on login page - by El Forum - 05-29-2008, 09:31 AM
turn off global xss on login page - by El Forum - 05-29-2008, 11:27 AM
turn off global xss on login page - by El Forum - 05-29-2008, 02:07 PM
turn off global xss on login page - by El Forum - 05-29-2008, 02:18 PM
turn off global xss on login page - by El Forum - 05-29-2008, 03:23 PM



Theme © iAndrew 2016 - Forum software by © MyBB