Welcome Guest, Not a member yet? Register   Sign In
CodeIgniter Forums Using CodeIgniter Best Practices moving from my localhost to a public host
moving from my localhost to a public host
  • Offline richb201
    Posting Freak
  • *****
  • Posts: 1,004
    Threads: 300
    Joined: Sep 2017
    Reputation: 0
#11
05-06-2018, 05:47 AM

>>But they don't escape anything on output (like you should).
I am not sure that I do unless Grocery Crud takes care of it. There is only one place where I output a string directly via HTML scripting that they have entered w/o Grocery Crud. It is where they enter the name of their project. I guess I should be checking to make sure that the name of the project is not dangerous. How do I do this? I am not sure what you mean by "escape on output"?
proof that an old dog can learn new tricks
Reply
  • Offline jreklund
    Administrator
  • *******
  • Posts: 1,408
    Threads: 3
    Joined: Aug 2017
    Reputation: 42
#12
05-06-2018, 06:18 AM

Grocery Crud dosen't take care of it. So if you are using it as an admin interface with user data. They can send in XSS attacks that you will execute. There's a global XSS filtering available that's an alias for strip_tags. It's better then nothing I guess.

You can use html_escape on all data users have provided.
https://www.codeigniter.com/user_guide/g...tml_escape

User only sends in a project name? You must surely store more information then that. And when they retrieve it (and you display it), you need to escape it.
Reply
  • Offline richb201
    Posting Freak
  • *****
  • Posts: 1,004
    Threads: 300
    Joined: Sep 2017
    Reputation: 0
#13
05-07-2018, 01:17 PM

Thanks Jrek. Everything else (including the project name) is being entered into the Crud. The developer added xss protection a version or two ago so i feel pretty good for right now about it.
proof that an old dog can learn new tricks
Reply




Theme © iAndrew 2016 - Forum software by © MyBB