Login

rocks · 02-17-2015, 10:27 PM

I am wondering if xss_clean deprecated or terminated in CI 3.0.0 ?
I've used for a while in my form validation.

PHP Code:
$this->form_validation->set_rules('login', 'user', 'trim|required|xss_clean'); 

Now it throws an error :
Unable to access an error message corresponding to your field name ******

If it's terminated, what is its alternative ?

Thanks

didi01 · 02-17-2015, 11:49 PM

Hi,

please check autoloading the security helper. I had the same Problem few weeks ago and this was the solution.

Regards
Dieter

Avenirer · 02-18-2015, 12:16 AM

xss_clean is no longer part of form validation. The alternative is not to use it, as xss_clean is doing sanitization and not validation.

xss_clean is part of security helper. If you need to do it, after validation you do a:

$this->load->helper('security');
$value = $this->input->post('formvalue', TRUE); // ...where TRUE enables the xss filtering

... i think...

Also, you can enable global xss filtering in the config.php file:

$config['global_xss_filtering'] = TRUE;

Website: http://avenir.ro

***Narf*** · 02-18-2015, 02:22 AM

You should've read the upgrade instructions or at least searched the forum topics to see if the question hasn't already been answered here (it was, multiple times).

(02-18-2015, 12:16 AM)Avenirer Wrote: xss_clean is no longer part of form validation. The alternative is not to use it, as xss_clean is doing sanitization and not validation.

xss_clean is part of security helper. If you need to do it, after validation you do a:

$this->load->helper('security');
$value = $this->input->post('formvalue', TRUE); // ...where TRUE enables the xss filtering

... i think...

Also, you can enable global xss filtering in the config.php file:

$config['global_xss_filtering'] = TRUE;

Please don't recommend 'global_xss_filtering'. That is a bad solution, even worse than manually applying xss_clean on individual inputs.

Avenirer · 02-18-2015, 03:02 AM

@Narf Well... I did mention that xss_clean is not for validation Tongue

Website: http://avenir.ro

twpmarketing · 02-18-2015, 08:56 AM

@Narf
Since you don't "recommend" using xss_clean() on form input, how or where, exactly, do you suggest to perform this kind of cleaning?

CI 3.1 Kubuntu 19.04 Apache 5.x  Mysql 5.x PHP 5.x PHP 7.x
Remember: Obfuscation is a bad thing.
Clarity is desirable over Brevity every time.

***Narf*** · 02-18-2015, 09:28 AM

(02-18-2015, 08:56 AM)twpmarketing Wrote: @Narf
Since you don't "recommend" using xss_clean() on form input, how or where, exactly, do you suggest to perform this kind of cleaning?

What is the opposite of input?

No offense, but you should really start paying at least a little attention to detail. This is an essential skill in programming.

My last exchange with you was in relation to something that was already resolved and you copy-pasted the linked information, to which I expressed my annoyance. In your private message following that, you argued that me linking the relevant information instead of writing an in-thread answer was "obfuscation". You did do it in a polite manner though - saying this just to avoid misunderstandings, I'm not trying to make you look bad.

I am equally annoyed now.

Yes, this is a forum board and many people will come here seeking answers. That is all fine for complex, non-standard or otherwise non-obvious problems. But why would we write documentation if we were to repeatedly answer the same questions? We should educate our users to read the documentation, where the (quite obvious) answer to your question is explained.

Please take a note of this.

rocks · 02-18-2015, 01:49 PM

(02-18-2015, 02:22 AM)Narf Wrote: Please don't recommend 'global_xss_filtering'. That is a bad solution, even worse than manually applying xss_clean on individual inputs.

The thing is, I don't see where the documentation stated usage of xss_clean is bad. And for sure, it did not state turning on 'global_xss_filtering' bad either. Maybe I am reading wrong documentation, or maybe I wasn't in the right section.

Please feel free to point me there...

***Narf*** · 02-18-2015, 02:27 PM

(02-18-2015, 01:49 PM)rocks Wrote:
(02-18-2015, 02:22 AM)Narf Wrote: Please don't recommend 'global_xss_filtering'. That is a bad solution, even worse than manually applying xss_clean on individual inputs.

The thing is, I don't see where the documentation stated usage of xss_clean is bad. And for sure, it did not state turning on 'global_xss_filtering' bad either. Maybe I am reading wrong documentation, or maybe I wasn't in the right section.

Please feel free to point me there...

http://www.codeigniter.com/userguide3/in...ation-rule

Though, indeed, it doesn't say anything about global_xss_filtering, I should add that.

casa · 04-05-2015, 11:32 PM

to answer concisely and effectively : $config['global_xss_filtering'] = TRUE is deprecated and just to assure interdependence between versions of CI.
Instead Use :
- $this->security->xss_clean($data) ; // on each data. NO need to load the class Security
// you can see $this->input->post($v, TRUE) or $this->input->get('some_data', TRUE);
// (http://www.codeigniter.com/userguide3/li...-filtering)
- or xss_clean($data) and before load security helper for using this function

have a good day.