Online documentation for Global XSS Filtering section |
The online documentation for "XSS Filtering" here...
http://www.codeigniter.com/user_guide/li...-filtering says this: Quote:If you want the filter to run automatically every time it encounters POST or COOKIE data you can enable it by opening your application/config/config.php file and setting this: However, when I go to the config.php file and look at this section, I see the following comments: Quote: So if it's deprecated, shouldn't the online documentation also state this and explain more about it? Since the online documentation is missing this information, what is the best practice for global XSS filtering on a new project? Don't use it (because it's deprecated)? Do something else? Do nothing? Stick with per-item processing? What? (05-26-2015, 09:20 AM)sparky672 Wrote: The online documentation for "XSS Filtering" here... It shouldn't mention it at all on that page ... https://github.com/bcit-ci/CodeIgniter/c...0bb8c52f05 (05-26-2015, 09:20 AM)sparky672 Wrote: Since the online documentation is missing this information, what is the best practice for global XSS filtering on a new project? Don't use it (because it's deprecated)? Do something else? Do nothing? Stick with per-item processing? What? Use xss_clean() when outputting user-supplied data, or let a templating engine like Twig do that for you - IMO, automatic XSS escaping are the only thing templating engines are useful for anyway ... (05-27-2015, 09:16 AM)Narf Wrote: It shouldn't mention it at all on that page ... https://github.com/bcit-ci/CodeIgniter/c...0bb8c52f05 Of course removing it is even better. However for consistency, you might want to scour the CI documentation for everything else that's deprecated so you can remove those too. (05-27-2015, 09:16 AM)Narf Wrote: Use xss_clean() when outputting user-supplied data .... Thank-you. I plan on using xss_clean(). (05-27-2015, 09:54 AM)sparky672 Wrote:(05-27-2015, 09:16 AM)Narf Wrote: It shouldn't mention it at all on that page ... https://github.com/bcit-ci/CodeIgniter/c...0bb8c52f05 I did say "on that page" ... it just doesn't belong in there, arguably even if it was not deprecated. That doesn't mean deprecated functionalities should be completely removed from the docs. |
Welcome Guest, Not a member yet? Register Sign In |