Welcome Guest, Not a member yet? Register   Sign In
CI4: what the use of esc inside view
#3

(This post was last modified: 07-25-2018, 01:22 AM by Pertti.)

Indeed, it's when users try to add script tags.

For example, if they manage to add script tag to their name, which has no visual representation, so they could hijack admin sessions every time admin user checks anything to do with said user name.

Few years back the common way was to filter through all that and save cleaned values to DB. That does have a drawback that if someone manages to find a way around filters, all old data would need to be checked again, something you as developer, might not even be aware of - giving you false sense of security.

So at the moment the best practice seems to be add it as in in DB, and escape everything when displaying it.
Reply


Messages In This Thread
RE: CI4: what the use of esc inside view - by Pertti - 07-25-2018, 01:22 AM



Theme © iAndrew 2016 - Forum software by © MyBB