Welcome Guest, Not a member yet? Register   Sign In
XSS_Clean on Template Parser?


I have a few questions regarding XSS Cleaning in CI:

1. I noticed that the template parser does not xss_clean the output, is there any specific reason for that? I know we should manually clean all outputs, but I was hoping for some kind of protection against forgetting a single output by mistake. if template parser had it, that would be awesome.

If this is just developers not having the time, is it okay if I add it myself by extending CI_Parser? or there is a good reason not to do this?

2. If we want an output to be xss_cleaned but also don't want html tags to be processed we should do this right?

PHP Code:
echo html_escape(xss_clean($var)) 

I do it to prevent name's to be something like <h1>anything</h1> and break the design. cannot validate names to be alphabets because the website is multilingual (or maybe I should validate by checking if user input has html special chars? not sure if that will prevent every possible attack).

3. I know the reason they removed global_xss_filtering but If we really don't need to output any html and we manually prevent xss_clean on passwords ( $this->input->post('password', FALSE) ), is it still really bad to use it? I mean isn't it better than forgetting to clean even a single output in the entire project that would ruin everything.

I'm just trying to learn more and need an expert's advice on these, hope you guys will help.


Messages In This Thread
XSS_Clean on Template Parser? - by nemeris - 11-27-2016, 04:42 PM
RE: XSS_Clean on Template Parser? - by ciadmin - 11-27-2016, 06:40 PM
RE: XSS_Clean on Template Parser? - by ciadmin - 11-28-2016, 04:07 PM
RE: XSS_Clean on Template Parser? - by nemeris - 11-28-2016, 04:28 PM

Theme © iAndrew 2016 - Forum software by © MyBB