Why does XSS filtering absolutely not work ? |
[eluser]Twisted1919[/eluser]
Code: //easy way However, you need to document yourself about what xss means(bold/italic/ & co are not really a threat for making xss available), to have a basic understanding on how your app might be exposed .
[eluser]kenjis[/eluser]
What exactly do you want to do? If you want to see "<i>Blah blah</i>" in your browser in stead of italic "Blah blah", only you have to do is to use htmlspecialchars() function in view file. eg, htmlspecialchars($name, ENT_QUOTES, 'UTF-8')
[eluser]Twisted1919[/eluser]
[quote author="Kenji @ CodeIgniter Users Group in Japan" date="1286183129"]What exactly do you want to do? If you want to see "<i>Blah blah</i>" in your browser in stead of italic "Blah blah", only you have to do is to use htmlspecialchars() function in view file. eg, htmlspecialchars($name, ENT_QUOTES, 'UTF-8')[/quote] Don't learn people to stupid stuff
[eluser]sikko[/eluser]
Humm ok, so xss cleaning is not really what I need. What I actually need, is a htmlentities/htmlspecialchars like function. But I wanted it to be automatic. I don't wan't to put a Code: $name = htmlspecialchars($this->input->post('name'), ENT_QUOTES, 'UTF-8') And as a good framework, I thought codeigniter had some features like that... Maybe I'm wrong...
[eluser]Dennis Rasmussen[/eluser]
No "I don't see". Why should we all suffer from having to enable html just because you want it disabled? Sure the CI team could add in a parameter or a method to filter html, but so can you
[eluser]Santiago DimattÃa[/eluser]
Just extend the Input class and do whatever you want with the POST data Creating Libraries > Extending Native Libraries Code: <?php (defined('BASEPATH')) OR exit('No direct script access allowed');
[eluser]markup2go[/eluser]
[quote author="Santiago DimattÃa" date="1286236877"]Just extend the Input class and do whatever you want with the POST data Creating Libraries > Extending Native Libraries Code: <?php (defined('BASEPATH')) OR exit('No direct script access allowed'); I like this answer for some reason...
[eluser]ericrjones1[/eluser]
To selectively apply the HTML cleaning (see code). Otherwise, you wouldn't be able to save any sort of HTML data. But maybe not saving any HTML data is what you want. :blank: Code: <?php (defined('BASEPATH')) OR exit('No direct script access allowed'); |
Welcome Guest, Not a member yet? Register Sign In |