Welcome Guest, Not a member yet? Register   Sign In
CodeIgniter Forums Archived Discussions Archived Development & Programming Best way to include Htmlpurifier
Best way to include Htmlpurifier
  • El Forum
    Guest
  •  
#1
02-04-2012, 01:31 AM

[eluser]@robertotra[/eluser]
Hello,
looking for posts about Htmlpurifier, I found some instructions on how to include into CodeIgniter at:

Quote:http://ellislab.com/forums/viewthread/204062/

But on the web (linked from Htmlpurifier website) I have found a much simpler solution which however seems to be outdated:

Quote:http://www.mindloop.be/htmlpurifier-and-...framework/

Which is the better way to include?

And also, I have read on another thread that Htmlpurifier "has a big overhead":

Quote:http://ellislab.com/forums/viewthread/210193/

Is it true? Did anyone else experience the same or did some benchmarking?

Thanks
Roberto
  • El Forum
    Guest
  •  
#2
02-04-2012, 01:59 AM

[eluser]Bhashkar Yadav[/eluser]
you can clean the post/get data before saving into database. please look at http://ellislab.com/codeigniter/user-gui...urity.html
  • El Forum
    Guest
  •  
#3
02-04-2012, 02:29 AM

[eluser]vbsaltydog[/eluser]
Use the form validation library to set rules on all form data to sanitize user input.

http://ellislab.com/codeigniter/user-gui...ation.html
  • El Forum
    Guest
  •  
#4
02-04-2012, 03:22 AM

[eluser]Bhashkar Yadav[/eluser]
you can also set csrf_protection and global_xss_filtering as TRUE into application/config/config.php. but it wouldn't be preferred because these will be checked all the time and can lower the performance.
  • El Forum
    Guest
  •  
#5
02-04-2012, 03:36 AM

[eluser]@robertotra[/eluser]
I do use form validation library to sanitize user input and have enabled csrf_protection to be sure that the the user posting data is the same who received the input form, while I kept disabled the global_xss_filter (to be eventually used only when needed) because of unnecessary over-workflow.

But I was talking about html output, not user input. Someone wisely told "sanitize input, escape output": why do you focus only on user input? If for any reason some code succeed to bypass the input check or uses a security hole in CI (who can safely say they will never be?) I wish to be sure it is not sent to my output. . That's where htmlpurifier can come to help.

Don't you agree?
Roberto
  • El Forum
    Guest
  •  
#6
05-14-2012, 09:33 AM

[eluser]Unknown[/eluser]
@robertotra,

I agree with you and am looking into using HTMLpurifier myself. I found a github repository where someone has created a Codeigniter library for HTMLpurifier; this will make is significantly easier to user HTMLpurifier with CI:

https://github.com/refringe/codeigniter-htmlpurifier

Hope this helps.

Note: I see the original question was asked a few months ago; I posted this response because it may be useful to others.




Theme © iAndrew 2016 - Forum software by © MyBB