Lost about XSS protection

Hi,

as xss_clean in Input is deprecated, and as it seems that it's a best practice to Validate Input and Sanitize Output, i'm in trouble with the correct way in CI (meaning in MVC structure).

Hypothese 1 :

• never XSS on input (so for example record <script>...</script> in the database)
  
• do security->xss_clean on every output datas in controllers
  
• do not use htmlspecialchars or strip_tags in views (cause when apply htmlspecialchars after xss_clean, it corrupts datas)
  

This hypothese looks fine but in case i'm the front end developper (Views, dealing with CI or other framework for this part), I have to trust the Middleend controllers. IE. APIS. But I had some bad experiences before with Apis sending some not cleaned datas.

So the second hypothese is :

• use validation on controllers or models, but not sanization xss.
  
• use htmlspecialchars and strip tags in views.
  

But in this second hypothese, I have to deal with ajax callback and sanitize in javascript.

Is there another way ? CI Documentation is very poor on his part of security.

Thanks.

Hmmm....
My opinion says:
+ puts unmodified data to the DB
+ xss_clean on every output datas in controllers (e.g. when user sends page and this page returns with user's errors)
+ use html_clean() on input values in views

Why do you say "do not use htmlspecialchars or strip_tags in views"??

Hmmm....
My opinion says:
+ puts unmodified data to the DB
+ xss_clean on every output datas in controllers (e.g. when user sends page and this page returns with user's errors)
+ use html_clean() on input values in views

Why do you say "do not use htmlspecialchars or strip_tags in views"??

Thanks for answer.
I said "do not use htmlspecialchars..." in this hypothese cause it's break some codes. Get this sample :

Code:

with $test = "Hello this is a message <script>alert('here is my alert')</script>";
When you echo $test :

AFTER XSS_CLEAN : Hello this is a message alert('here is my alert')
AFTER XSS_CLEAN AND THEN htmlspecialchars : Hello this is a message alert('here is my alert')

So ( and ' characters are remplaced.

But what i'm in trouble is that when i use a valid string, characters are not replaced.

AFTER XSS_CLEAN : A valid string whith for example some "quotes" or ("ie..)
AFTER XSS_CLEAN AND THEN htmlspecialchars : A valid string whith for example some "quotes" or ("ie..)

UP.
I realize that if we have to sanitize output in Controller, when i have multiple records i have to loop foreach record and then foreach datas in the array or in the objet for apply xss_clean. Hum, not really good for performances, as i will have todo the same loop in the view for display.

So perhaps it could be more efficient to xss_clean at Input and have clear datas in Database. even if  I've read too that it was good practice to clean output instead of input.

Hypothese 1 :

• never XSS on input (so for example record <script>...</script> in the database)
  
• do security->xss_clean on every output datas in controllers
  
• do not use htmlspecialchars or strip_tags in views (cause when apply htmlspecialchars after xss_clean, it corrupts datas)
  

This hypothese looks fine but in case i'm the front end developper (Views, dealing with CI or other framework for this part), I have to trust the Middleend controllers. IE. APIS. But I had some bad experiences before with Apis sending some not cleaned datas.

So the second hypothese is :

• use validation on controllers or models, but not sanization xss.
  
• use htmlspecialchars and strip tags in views.
  

But in this second hypothese, I have to deal with ajax callback and sanitize in javascript.

Is there another way ? CI Documentation is very poor on his part of security.

1. Validate inputs.
2. Do only xss_clean() at the point where you generate HTML. No htmlspecialchars(). If you want to use strip_tags() for whatever reason - do it before xss_clean().

Do your APIs return HTML that is to be directly displayed? Then sanitize there.
Do they return data that is later turned into HTML? Then sanitize in views.

Hmmm....
My opinion says:
+ puts unmodified data to the DB
+ xss_clean on every output datas in controllers (e.g. when user sends page and this page returns with user's errors)
+ use html_clean() on input values in views

If the data is already sanitized, don't do html_clean() (whatever that is) on it again.
Once is just enough, more than once breaks your data.

Why do you say "do not use htmlspecialchars or strip_tags in views"??

Because if it's already sanitized in a controller (which probably shouldn't be the case, but that's another story), applying htmlspecialchars() on it again will result in double encoding; i.e. breaking the data.

UP.
I realize that if we have to sanitize output in Controller, when i have multiple records i have to loop foreach record and then foreach datas in the array or in the objet for apply xss_clean. Hum, not really good for performances, as i will have todo the same loop in the view for display.

So perhaps it could be more efficient to xss_clean at Input and have clear datas in Database. even if  I've read too that it was good practice to clean output instead of input.

Efficiency is not the point; security is.

This is one of the reasons why security is hard - it is often at odds with a developer's natural instincts; you can't put it on rails.
If you care about efficiency more than security, what you get is vulnerabilities.

@Narf
THANKS. Great answers, clear, efficient. All is ok now for me. And thanks again for CI.
Regards
Zoé