Welcome Guest, Not a member yet? Register   Sign In
CI4: what the use of esc inside view
#1

What the use of escaping inside renderer or view ?

I don't see any threat because the content is generated by developer's code or developer's template which not intend for harming their users
Reply
#2

Not all content is generated by the developer's (code/template)...

Don't assume you'll catch everything going in or your customers won't find a way to break something(because they will).
Reply
#3

(This post was last modified: 07-25-2018, 01:22 AM by Pertti.)

Indeed, it's when users try to add script tags.

For example, if they manage to add script tag to their name, which has no visual representation, so they could hijack admin sessions every time admin user checks anything to do with said user name.

Few years back the common way was to filter through all that and save cleaned values to DB. That does have a drawback that if someone manages to find a way around filters, all old data would need to be checked again, something you as developer, might not even be aware of - giving you false sense of security.

So at the moment the best practice seems to be add it as in in DB, and escape everything when displaying it.
Reply
Reply
#5

(07-25-2018, 01:22 AM)Pertti Wrote: Few years back the common way was to filter through all that and save cleaned values to DB. That does have a drawback that if someone manages to find a way around filters, all old data would need to be checked again, something you as developer, might not even be aware of - giving you false sense of security.

Somewhat answer my question.
I get it. But I havent seen live example.

I fork CI4 - View to accept min.html as template view (as in CI3), and wonders if i can skip some checks to eek out performance
Reply
#6

(07-25-2018, 04:14 PM)anthos1984 Wrote:
(07-25-2018, 01:22 AM)Pertti Wrote: Few years back the common way was to filter through all that and save cleaned values to DB. That does have a drawback that if someone manages to find a way around filters, all old data would need to be checked again, something you as developer, might not even be aware of - giving you false sense of security.

Somewhat answer my question.
I get it. But I havent seen live example.

I fork CI4 - View to accept min.html as template view (as in CI3), and wonders if i can skip some checks to eek out performance

Don't skimp where security is concerned. And don't worry about performance that much. CI is pretty darned fast. If you have a view that is slow - cache that view and call it done.
Reply
#7

(07-25-2018, 04:14 PM)anthos1984 Wrote: I fork CI4 - View to accept min.html as template view (as in CI3), and wonders if i can skip some checks to eek out performance

A question, though - what do you mean "accept min.html as template view"? You should be able to do everything that you could with CI3, and if not, I'd like to see about fixing that in the core.
Reply
#8

(07-26-2018, 06:17 AM)kilishan Wrote: A question, though - what do you mean "accept min.html as template view"? You should be able to do everything that you could with CI3, and if not, I'd like to see about fixing that in the core.

on CI4 on system/View/View.php has this line (about line 170)
PHP Code:
$this->renderVars['view'] = str_replace('.php'''$view) . '.php'
As I see on docs, it accept template file as php file (You call it views, but I don't want to get confused with view controller or renderer).
If I have .html, then it thinks my file as min.html.php which not exist.

So I change into this (as in CI3)

PHP Code:
$fileExt pathinfo($viewPATHINFO_EXTENSION);
$realPath = ($fileExt === NULL) ? $view.'.php' $view;
$this->renderVars['view'] = $realPath
So it adds .php only if template file doesn't have extension.
If you ask why I didn't use php? Because minify tool on netbeans can picks .html and rename to .min.html (cannot rename to .php).

we don't need to send comments and empty space, so it will reduce some data to send. Also stripping with php script takes time, better we stripped it before serving the pages to user. Also you can compress some image to reduce more (stripping EXIF data if not needed, compress png, vacuuming svg, etc)
Reply
#9

Oh, gotcha. Yeah, that should be fixed. Can you file a Issue over at Github please so that it doesn't get lost?
Reply
#10

I haven't use github before. But I have uploaded the proposal
Reply




Theme © iAndrew 2016 - Forum software by © MyBB