Hello,
Using CodeIgniter 3.0.3 and Rest Server library
https://github.com/chriskacerguis/codeig...stallation, version @version 3.0.0 I want to have protection against HTML-injection.
In this lib I found lines like :
PHP Code:
/**
* Enable XSS flag
* Determines whether the XSS filter is always active when
* GET, OPTIONS, HEAD, POST, PUT, DELETE and PATCH data is encountered.
* Set automatically based on config setting
*
* @var bool
*/
protected $_enable_xss = FALSE;
...
$this->_enable_xss = ($this->config->item('global_xss_filtering') === TRUE);
...
But in config file of CodeIgniter 3.0.3 project I see mention that This feature is DEPRECATED
PHP Code:
/*
|--------------------------------------------------------------------------
| Global XSS Filtering
|--------------------------------------------------------------------------
|
| Determines whether the XSS filter is always active when GET, POST or
| COOKIE data is encountered
|
| WARNING: This feature is DEPRECATED and currently available only
| for backwards compatibility purposes!
|
*/
$config['global_xss_filtering'] = FALSE;
Which can be good way for this?
Usually escaping the HTML I use : htmlentities($text, ENT_COMPAT, 'UTF-8')
Would it be a good way to override REST_Controller class and in my class to add htmlentities for all data read methods like :
PHP Code:
/**
* Retrieve a value from a GET request
*
* @access public
* @param NULL $key Key to retrieve from the GET request
* If NULL an array of arguments is returned
* @param NULL $xss_clean Whether to apply XSS filtering
* @return array|string|NULL Value from the GET request; otherwise, NULL
*/
public function get($key = NULL, $xss_clean = NULL)
{
if ($key === NULL)
{
return $this->_get_args;
}
return isset($this->_get_args[$key]) ? $this->_xss_clean($this->_get_args[$key], $xss_clean) : NULL;
}
...
/**
* Retrieve a value from a POST request
*
* @access public
* @param NULL $key Key to retrieve from the POST request
* If NULL an array of arguments is returned
* @param NULL $xss_clean Whether to apply XSS filtering
* @return array|string|NULL Value from the POST request; otherwise, NULL
*/
public function post($key = NULL, $xss_clean = NULL)
{
if ($key === NULL)
{
return $this->_post_args;
}
return isset($this->_post_args[$key]) ? $this->_xss_clean($this->_post_args[$key], $xss_clean) : NULL;
}
?