About security (XSS, CSRF, etc) |
With this commit
https://github.com/bcit-ci/CodeIgniter/c...7364f75c4d I see that $config['global_xss_filtering'] is now deprecated and '... XSS filtering should not be done on input data, but on output instead.'. But what really means 'output'? What if I just need to log user input into a file or database and I want it to be as clean as possible? What are the golden rules about protection against attacks like XSS, CSRF, etc. using CI 3?
It's very simple - XSS is a browser attack, therefore if something isn't displayed in a browser, don't do XSS escaping on it.
(03-01-2015, 08:41 AM)Narf Wrote: It's very simple - XSS is a browser attack, therefore if something isn't displayed in a browser, don't do XSS escaping on it. Thanks, I've found this interesting article which clarifies a bit http://lukeplant.me.uk/blog/posts/why-es...-bad-idea/
(03-01-2015, 09:16 AM)geekita Wrote: ... #geekita, Thank you for the link to the article on escaping data, it answered my own questions, in detail. |
Welcome Guest, Not a member yet? Register Sign In |