XSS_filtering

The ‘global_xss_filtering’ setting is DEPRECATED and kept solely for backwards-compatibility purposes. XSS escaping should be performed on output, not input!

What does it means exactly? Should I use xss_filtering manually as $data = $this->security->xss_clean($data);?

Thank in advance

I think you're in the wrong forum. CI4 doesn't have xss_clean method. Instead it provides the esc() method to escape data in views.

But what it means is that you don't escape data when you get it from the user. Different contexts need different types of escaping. For example, escaping for safety within a database is different than for when it's viewed on a web page. Instead, escape it when you need to use it so you can choose the proper way to handle it.

Support Development •  CodeIgniter 4 Foundations • Practical CodeIgniter 3  • CodeIgniter Tutorials

I think you're in the wrong forum. CI4 doesn't have xss_clean method. Instead it provides the esc() method to escape data in views.

But what it means is that you don't escape data when you get it from the user. Different contexts need different types of escaping. For example, escaping for safety within a database is different than for when it's viewed on a web page. Instead, escape it when you need to use it so you can choose the proper way to handle it.

Yes, I posted a topic in the wrong side of forum.

I am not English mother tongue, so, sometime I have doubts about best practice in Codeigniter.
I am developing a web app and my goal is keeping an high level of secutity.

Thank You anyway.

P.S. do you think is early developing apps with CI 4?