[eluser]stuckinphp[/eluser]
I am working on an public facing interface that makes use of a database that is effectively untrusted due to multiple applications accessing it.
I would like a clean way of encoding all my output to UTF-8 with htmlentities to prevent XSS.
CI has nothing built in. The filter that is there is meant for input and does not actually filter all XSS attacks.
I would prefer a blanket fix but don't think there is one.
What I'm really after in this discussion is what is the best way to filter my output? And is the following the best / most concise solution? (encode function is a wrapper on htmlentities with utf8 and ent_compat)
<?php echo form_input("start_date[".encode($id)."]", encode($action->start_date,true), 'class="input input-date dateISO required" readonly=readonly title="must set a date."'); ?>
As you can see it is getting a bit out of hand. Encoding at controller level is just not a solution as CI doesn't use strict templating. Encoding at model level leaves other possible avenues open. Encoding at time of output seems like the smartest / safest / catch all cases way of doing things, I just want someone to confirm I'm not missing something obvious and nicer to look at / maintain