Welcome Guest, Not a member yet? Register   Sign In
About security (XSS, CSRF, etc)
#1

With this commit

https://github.com/bcit-ci/CodeIgniter/c...7364f75c4d

I see that $config['global_xss_filtering'] is now deprecated and '... XSS filtering should not be done on input data, but on output instead.'.

But what really means 'output'? What if I just need to log user input into a file or database and I want it to be as clean as possible?

What are the golden rules about protection against attacks like XSS, CSRF, etc. using CI 3?
Reply
#2

It's very simple - XSS is a browser attack, therefore if something isn't displayed in a browser, don't do XSS escaping on it.
Reply
#3

(03-01-2015, 08:41 AM)Narf Wrote: It's very simple - XSS is a browser attack, therefore if something isn't displayed in a browser, don't do XSS escaping on it.

Thanks, I've found this interesting article which clarifies a bit

http://lukeplant.me.uk/blog/posts/why-es...-bad-idea/
Reply
#4

(03-01-2015, 09:16 AM)geekita Wrote: ...
Thanks, I've found this interesting article which clarifies a bit

http://lukeplant.me.uk/blog/posts/why-es...-bad-idea/

#geekita, Thank you for the link to the article on escaping data, it answered my own questions, in detail.
Reply




Theme © iAndrew 2016 - Forum software by © MyBB