filter input - escape output |
In theory I completely understand what is being said here and how we should not manipulate the data that is saved in the database (hence why xss_clean has been depreciated from the form validation); however can someone please explain it in the below example:
We have a login page with: email: _________ password: _________ How do I make sure that that XSS attach does not happen here? In other words how do I escape the output? or what should I do in terms of filtering the input?
What's your output?
Basically you escape the output with using `html_escape()` in your view files.
https://www.codeigniter.com/userguide3/h...eld-values It is an alias for `htmlspecialchars()`. But in some places, using `html_escape()` is not enough. See https://www.owasp.org/index.php/XSS_%28C...es_Summary
In addition to the existing function html_escape() I've got functions for escaping in other contexts:
Code: // Escapers I use the internal escapers of Twig because I already have it. But it is not necessary you to install Twig in your system, you can easily rewrite the bodies of these helper functions by using the small component Zend\Escaper https://github.com/zendframework/zend-escaper It has the same routines inside, install it with Composer.
Note that in the first link that Kenjis cited - that for echoing out a value in a form field - you don't have to use that function IF you are using the Codeigniter form helper. The form helper makes it much faster to build out form fields, and having that security there automatically is also a big plus.
|
Welcome Guest, Not a member yet? Register Sign In |