Welcome Guest, Not a member yet? Register   Sign In
CodeIgniter and Rest Server library and xss
#1

Hello,
Using CodeIgniter 3.0.3 and Rest Server library https://github.com/chriskacerguis/codeig...stallation, version @version 3.0.0 I want to have protection against HTML-injection.
In this lib I found lines like :

PHP Code:
    /**
     * Enable XSS flag
     * Determines whether the XSS filter is always active when
     * GET, OPTIONS, HEAD, POST, PUT, DELETE and PATCH data is encountered.
     * Set automatically based on config setting
     *
     * @var bool
     */
    protected $_enable_xss FALSE;
...
        $this->_enable_xss = ($this->config->item('global_xss_filtering') === TRUE);
... 

But in config file of CodeIgniter 3.0.3 project I see mention that This feature is DEPRECATED

PHP Code:
/*
|--------------------------------------------------------------------------
| Global XSS Filtering
|--------------------------------------------------------------------------
|
| Determines whether the XSS filter is always active when GET, POST or
| COOKIE data is encountered
|
| WARNING: This feature is DEPRECATED and currently available only
|          for backwards compatibility purposes!
|
*/
$config['global_xss_filtering'] = FALSE

Which can be good way for this?
Usually escaping the HTML I use : htmlentities($text, ENT_COMPAT, 'UTF-8')

Would it be a good way to override REST_Controller class and in my class to add htmlentities for all data read methods like :

PHP Code:
    /**
     * Retrieve a value from a GET request
     *
     * @access public
     * @param NULL $key Key to retrieve from the GET request
     * If NULL an array of arguments is returned
     * @param NULL $xss_clean Whether to apply XSS filtering
     * @return array|string|NULL Value from the GET request; otherwise, NULL
     */
    public function get($key NULL$xss_clean NULL)
    {
        if ($key === NULL)
        {
            return $this->_get_args;
        }

        return isset($this->_get_args[$key]) ? $this->_xss_clean($this->_get_args[$key], $xss_clean) : NULL;
    }
...
    /**
     * Retrieve a value from a POST request
     *
     * @access public
     * @param NULL $key Key to retrieve from the POST request
     * If NULL an array of arguments is returned
     * @param NULL $xss_clean Whether to apply XSS filtering
     * @return array|string|NULL Value from the POST request; otherwise, NULL
     */
    public function post($key NULL$xss_clean NULL)
    {
        if ($key === NULL)
        {
            return $this->_post_args;
        }

        return isset($this->_post_args[$key]) ? $this->_xss_clean($this->_post_args[$key], $xss_clean) : NULL;
    

?
Reply
#2

You don't need XSS escaping, unless you are serving HTML-formatted resources directly as pages from your "REST server" and that is a very, very rare case.
Reply




Theme © iAndrew 2016 - Forum software by © MyBB