Welcome Guest, Not a member yet? Register   Sign In
CodeIgniter XSS Protection is good, but not enough by itself.

Guys.. you need to read this link and please reply back here.

The author claim that CI internal XSS filter is not strong enough to combat the issue.

I don't know about this since I'm not too 'advance' in CI. Maybe you can share your thought about it.

When it comes to security, nothing is enough by itself.

Read it. And find it of limited use.

None of the examples given pose a thread in itself. Whether or not a string is a thread, depends on where you use it. "FORMAT C:" is a totally innocent string. Unless typed in on the commandline of a Windows box.
The examples used 'could' be a thread if you echo the post variable back as part of an HTML tag. How likely is that, for anyone with a bit of common sense?

And, since the article was published only a few weeks ago, he could have checked 2.0 as well. Which would have revealed that the XSS clean functionality has been completely rewritten, which includes, amongst others, encoding.

I agree with Jelmers response to the article that global xss cleaning is often unnecessary, or even unwanted, and that you should always be conscious about the possible security issues with the application your building. And act upon that.

Theme © iAndrew 2016 - Forum software by © MyBB