[eluser]theshiftexchange[/eluser]
[quote author="luismartin" date="1334870019"]You are preventing from SQL injections by using CI's active record, but not from XSS attacks (javascript).
To do so, you can perform different steps:
- To set the XSS filtering config variable to TRUE:
$config['global_xss_filtering'] = TRUE;
- To set to TRUE the second parameter of the post() and get() methods of Input class:
$clean_data = $this->input->
post('myfield',
true);
- To use the xss_clean method of Security class:
$clean_data = $this->
security->xss_clean($data);[/quote]
Thanks - but if I am using the default CI URI chars - can a XSS attack occur with only those chars?
Code:
$config['permitted_uri_chars'] = 'a-z 0-9~%.:_\-';