Welcome Guest, Not a member yet? Register   Sign In
Best practice: Using the CI's XSS filter
#1

[eluser]Optimus Prime[/eluser]
Hi! I want to know when and where is the best to put a XSS filter based in your experiences.

I didn't know about the XSS attacks when I readed about this CI filter. I readed several articles and forums about XSS attacks, but not how to apply a filter to prevent it, or at lees where and when to put a filter.

I see that XSS filter that CI include take an amount of process. So, as a second question: If a have a good server (supposing I have a Core 2 Duo with a 1GB RAM), is it a good idea to activate XSS filter to process all POST data (or another input data)?

I'm developing a large site that will be visited by many people and I have intention to use XSS filter at less for the administration control of the site if XSS filter is very necessary and is a good practice. I don't want to abuse using this filter in order to protect the server. That's why I'm asking this topic.

I hope that you can help me with your experience.
#2

[eluser]Michael Wales[/eluser]
I set it up to run globally on all input and have yet to have any issues with it - the impact is minimal.
#3

[eluser]Derek Allard[/eluser]
I second the global running of xss. Set it in the config and be done with it. The security lib is very fast, and I've not noticed any impact since switching many of my apps from single calls to global calls.

I'd need to think it through more, but I think a strong argument could be made for having global xss on by default, and if a developer doesn't want it to run, then they can set it false. That said, it isn't the place of a framework to make architectural decisions for a dev, so I'll just continue to recommend people turn it on by default Wink
#4

[eluser]esra[/eluser]
According to the docs, there is a performance hit when XSS filtering is set to run globally, but I'm also running it globally like Michael. CI is considerably faster than most frameworks, so you might find the performance hit negligble.

It's required when using GET and POST in forms and when setting cookies. I guess you could manually code it when handling any kind of input operations in your code. I would recommend turning it on globally for now and build your application. Later you can turn it off to get a better idea about what the performance hit is in the final application and manually enter code for your input operations if you find it necessary.
#5

[eluser]Optimus Prime[/eluser]
Thanks for sharing your experience, is very useful.

I expect that more people share his experience in this topics and we can grown to be a better CI developer =).




Theme © iAndrew 2016 - Forum software by © MyBB