Welcome Guest, Not a member yet? Register   Sign In
CodeIgniter Forums Archived Discussions Archived Development & Programming XSS Filtering and the $_POST Array
XSS Filtering and the $_POST Array
  • El Forum
    Guest
  •  
#1
08-09-2011, 01:12 PM

[eluser]xjohnson[/eluser]
Hi, All -

Let me first apologize if I'm asking this question, and it's already been answered elsewhere. I searched for an answer to this question in the forum and in the user guide and couldn't find it. Perhaps, I'm blind.

Nonetheless, the question I have is this: If the following is found in the config.php file:
Code:
$config['global_xss_filtering'] = TRUE;

then does that mean that form data obtained via both these methods:

Code:
- $this->input->post('foo')
- $_POST['foo']

have been been filtered for XSS attempts?


Thanks in advance.



Warm Regards,

xjohnson
  • El Forum
    Guest
  •  
#2
08-09-2011, 01:29 PM

[eluser]Mirge[/eluser]
Wouldn't it be faster to put together a small sample test for yourself & find out?
  • El Forum
    Guest
  •  
#3
08-09-2011, 11:00 PM

[eluser]xjohnson[/eluser]
[quote author="Mirge" date="1312936167"]Wouldn't it be faster to put together a small sample test for yourself & find out?[/quote]

Yes, Mirge, you are correct. However, experienced CI developers may be able to add valuable insight in their responses to my question, which will add to our knowledge and understanding of "best practices" surrounding the use of the XSS filter. In an attempt to capture that insight, the question has been posed here.



Warm Regards,

xjohnson
  • El Forum
    Guest
  •  
#4
08-09-2011, 11:02 PM

[eluser]Mirge[/eluser]
That's true. You should put together a small test & find out Smile.

I might here in a few, I'm wrapping up some work right now.. looooooong day.

For what it's worth, I *wasn't* trying to sound like an a-hole in my previous post... was taking a break from work, been one of those days.
  • El Forum
    Guest
  •  
#5
08-10-2011, 07:09 AM

[eluser]boltsabre[/eluser]
Yeah, your post variables (however you access them either by native PHP code or CI code) have been cleansed.

Although for best practices you should heavily validate input anyway (ie, if you only want an int, make sure the form throws a validation error if user does not enter an int!) Cleanse cleanse cleanse!!! XSS filters are notorious for failing as malicious users develop more complicated ways of exploiting them - no filter is 100% safe now (and more importantly in the future), and that is why you should validate your forms to as close as to what you desire your input to be.

I have a website with a custom filter that I use a lot, and that's to fail validation if there is a scripting < tag or the html entity code value in there anywhere both opening and closing tags) (I don't need html mark up by users in that website, and this also has the added benefit that 'spam bots/people' are less likely to leave stupid comments with backlinks to their own websites as they cannot wrap it in anchor tags!!!)




Theme © iAndrew 2016 - Forum software by © MyBB