• 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
CI4: what the use of esc inside view

#3
Indeed, it's when users try to add script tags.

For example, if they manage to add script tag to their name, which has no visual representation, so they could hijack admin sessions every time admin user checks anything to do with said user name.

Few years back the common way was to filter through all that and save cleaned values to DB. That does have a drawback that if someone manages to find a way around filters, all old data would need to be checked again, something you as developer, might not even be aware of - giving you false sense of security.

So at the moment the best practice seems to be add it as in in DB, and escape everything when displaying it.
Reply


Messages In This Thread
RE: CI4: what the use of esc inside view - by Pertti - 07-25-2018, 01:22 AM

Digg   Delicious   Reddit   Facebook   Twitter   StumbleUpon  


  Theme © 2014 iAndrew  
Powered By MyBB, © 2002-2019 MyBB Group.