• 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
XSS_Clean on Template Parser?

To be clear, I don't know when or why xss_clean was removed from the template parser or if it was ever there; I am not expert enough (from a security perspective) to address if it should be there or not, but I can see it *optionally* helpful.

One of my uses for the template parser is to inject XML/HTML from a database into a view, and forcing xss_clean would seem counter-intuitive to that.

CI4's View & Parser classes support optional escaping of view parameter values, which might serve the same intent as your question.

I don't see other responses to this thread, nor other community members bringing up the issue, so am not sure how much interest there would be in such an enhancement.

You asked about extending CI_Parser... that can always be done (core/MY_Parser). However, you are welcome to submit a PR to our github repo, with that proposed change to the parser Smile That could be a better way to get the community to chime in!

Messages In This Thread
XSS_Clean on Template Parser? - by nemeris - 11-27-2016, 04:42 PM
RE: XSS_Clean on Template Parser? - by ciadmin - 11-27-2016, 06:40 PM
RE: XSS_Clean on Template Parser? - by ciadmin - 11-28-2016, 04:07 PM
RE: XSS_Clean on Template Parser? - by nemeris - 11-28-2016, 04:28 PM

Digg   Delicious   Reddit   Facebook   Twitter   StumbleUpon  

  Theme © 2014 iAndrew  
Powered By MyBB, © 2002-2020 MyBB Group.