• 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
XSS_Clean on Template Parser?

#1
Question 
Hello,

I have a few questions regarding XSS Cleaning in CI:

1. I noticed that the template parser does not xss_clean the output, is there any specific reason for that? I know we should manually clean all outputs, but I was hoping for some kind of protection against forgetting a single output by mistake. if template parser had it, that would be awesome.

If this is just developers not having the time, is it okay if I add it myself by extending CI_Parser? or there is a good reason not to do this?


2. If we want an output to be xss_cleaned but also don't want html tags to be processed we should do this right?


PHP Code:
echo html_escape(xss_clean($var)) 

I do it to prevent name's to be something like <h1>anything</h1> and break the design. cannot validate names to be alphabets because the website is multilingual (or maybe I should validate by checking if user input has html special chars? not sure if that will prevent every possible attack).


3. I know the reason they removed global_xss_filtering but If we really don't need to output any html and we manually prevent xss_clean on passwords ( $this->input->post('password', FALSE) ), is it still really bad to use it? I mean isn't it better than forgetting to clean even a single output in the entire project that would ruin everything.


I'm just trying to learn more and need an expert's advice on these, hope you guys will help.


Reply


Messages In This Thread
XSS_Clean on Template Parser? - by nemeris - 11-27-2016, 04:42 PM
RE: XSS_Clean on Template Parser? - by ciadmin - 11-27-2016, 06:40 PM
RE: XSS_Clean on Template Parser? - by ciadmin - 11-28-2016, 04:07 PM
RE: XSS_Clean on Template Parser? - by nemeris - 11-28-2016, 04:28 PM

Digg   Delicious   Reddit   Facebook   Twitter   StumbleUpon  


  Theme © 2014 iAndrew  
Powered By MyBB, © 2002-2020 MyBB Group.