CI4 - security with Forms |
Hello,
I wonder a lot of things about security with my forms in Codeigniter 4. If someone could enlighten me... ^^ 1 Is esc() function useful on Views or only in Controllers ? 2) Is esc() function (or something else) useful when sending an email ? (for preventing loading malware inside email maybe??) ? 3) Is it useful to enable 'csrf' with any form or a strong validation is enough ? 4) What kind of simple captcha would you recommend for bots ? I've tried to install ReCaptcha 3 and 2 without success because issues with Firefox and Apple Safari which doesn't allow loading such external ressource. It told me : "The source list for Content Security Policy directive 'script-src' contains an invalid source: ''strict-dynamic''. It will be ignored." Thank you for your advices.
The rule is FIEO (Filter Input Escape Output).
What did you Try? What did you Get? What did you Expect?
Joined CodeIgniter Community 2009. ( Skype: insitfx )
(07-11-2020, 09:35 AM)kilden Wrote: Hello, 1. In views 2. I don't know, but I think no. 3. Both. CSRF and valitations to the all posts requisitions.
If I use the function esc() in a View, for example in a contact form on a textarea, it will change all special characters and it's not really appropriate. If a visitor write something like " dont't " ,it will change the text into " don't " if there is a validation.
(07-11-2020, 09:35 AM)kilden Wrote: 1 Is esc() function useful on Views or only in Controllers ? esc() should be applied to the rendered document, with the correct context. So everything in the view should be escaped, that the user can manipulate. (07-11-2020, 09:35 AM)kilden Wrote: 2) Is esc() function (or something else) useful when sending an email ? (for preventing loading malware inside email maybe??) ? Only if the content of said email are generated by the user. (07-11-2020, 09:35 AM)kilden Wrote: 3) Is it useful to enable 'csrf' with any form or a strong validation is enough ?CSRF protection should always be on. With validation. (07-11-2020, 09:35 AM)kilden Wrote: 4) What kind of simple captcha would you recommend for bots ? I've tried to install ReCaptcha 3 and 2 without success because issues with Firefox and Apple Safari which doesn't allow loading such external ressource. It told me : "The source list for Content Security Policy directive 'script-src' contains an invalid source: ''strict-dynamic''. It will be ignored." You need to fix your Content Security Policy, usually it's due to the fact that you don't include the hash from external resources in your code. (07-11-2020, 09:35 AM)kilden Wrote: If I use the function esc() in a View, for example in a contact form on a textarea, it will change all special characters and it's not really appropriate. If a visitor write something like " dont't " ,it will change the text into " don't " if there is a validation. All form_ have built in esc($value, 'html') applied to the value. Extra have esc($value, 'attr'); https://codeigniter.com/user_guide/helpe...eld-values |
Welcome Guest, Not a member yet? Register Sign In |