Welcome Guest, Not a member yet? Register   Sign In
Online documentation for Global XSS Filtering section
#1

(This post was last modified: 05-26-2015, 09:22 AM by sparky672.)

The online documentation for "XSS Filtering" here...

http://www.codeigniter.com/user_guide/li...-filtering

says this:

Quote:If you want the filter to run automatically every time it encounters POST or COOKIE data you can enable it by opening your application/config/config.php file and setting this:
Code:
$config['global_xss_filtering'] = TRUE;

However, when I go to the config.php file and look at this section, I see the following comments:

Quote:
Code:
| WARNING: This feature is DEPRECATED and currently available only
|          for backwards compatibility purposes!

So if it's deprecated, shouldn't the online documentation also state this and explain more about it?

Since the online documentation is missing this information, what is the best practice for global XSS filtering on a new project?  Don't use it (because it's deprecated)?  Do something else?  Do nothing?  Stick with per-item processing?  What?
Reply
#2

(05-26-2015, 09:20 AM)sparky672 Wrote: The online documentation for "XSS Filtering" here...

http://www.codeigniter.com/user_guide/li...-filtering

says this:


Quote:If you want the filter to run automatically every time it encounters POST or COOKIE data you can enable it by opening your application/config/config.php file and setting this:

Code:
$config['global_xss_filtering'] = TRUE;

However, when I go to the config.php file and look at this section, I see the following comments:


Quote:
Code:
| WARNING: This feature is DEPRECATED and currently available only
|          for backwards compatibility purposes!

So if it's deprecated, shouldn't the online documentation also state this and explain more about it?

It shouldn't mention it at all on that page ... https://github.com/bcit-ci/CodeIgniter/c...0bb8c52f05

(05-26-2015, 09:20 AM)sparky672 Wrote: Since the online documentation is missing this information, what is the best practice for global XSS filtering on a new project?  Don't use it (because it's deprecated)?  Do something else?  Do nothing?  Stick with per-item processing?  What?

Use xss_clean() when outputting user-supplied data, or let a templating engine like Twig do that for you - IMO, automatic XSS escaping are the only thing templating engines are useful for anyway ...
Reply
#3

(05-27-2015, 09:16 AM)Narf Wrote: It shouldn't mention it at all on that page ... https://github.com/bcit-ci/CodeIgniter/c...0bb8c52f05

Of course removing it is even better. However for consistency, you might want to scour the CI documentation for everything else that's deprecated so you can remove those too.

(05-27-2015, 09:16 AM)Narf Wrote: Use xss_clean() when outputting user-supplied data ....

Thank-you. I plan on using xss_clean().
Reply
#4

(05-27-2015, 09:54 AM)sparky672 Wrote:
(05-27-2015, 09:16 AM)Narf Wrote: It shouldn't mention it at all on that page ... https://github.com/bcit-ci/CodeIgniter/c...0bb8c52f05

Of course removing it is even better.  However for consistency, you might want to scour the CI documentation for everything else that's deprecated so you can remove those too.

I did say "on that page" ... it just doesn't belong in there, arguably even if it was not deprecated. That doesn't mean deprecated functionalities should be completely removed from the docs.
Reply




Theme © iAndrew 2016 - Forum software by © MyBB