Hello,
I have a few questions regarding XSS Cleaning in CI:
1. I noticed that the template parser does not xss_clean the output, is there any specific reason for that? I know we should manually clean all outputs, but I was hoping for some kind of protection against forgetting a single output by mistake. if template parser had it, that would be awesome.
If this is just developers not having the time, is it okay if I add it myself by extending CI_Parser? or there is a good reason not to do this?
2. If we want an output to be xss_cleaned but also don't want html tags to be processed we should do this right?
PHP Code:
echo html_escape(xss_clean($var))
I do it to prevent name's to be something like <h1>anything</h1> and break the design
. cannot validate names to be alphabets because the website is multilingual (or maybe I should validate by checking if user input has html special chars? not sure if that will prevent every possible attack).
3. I know the reason they removed global_xss_filtering but If we really don't need to output any html and we manually prevent xss_clean on passwords ( $this->input->post('password', FALSE) ), is it still really bad to use it? I mean isn't it better than forgetting to clean even a single output in the entire project that would ruin everything.
I'm just trying to learn more and need an expert's advice on these, hope you guys will help.