• 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
XSS_filtering

#1
The ‘global_xss_filtering’ setting is DEPRECATED and kept solely for backwards-compatibility purposes. XSS escaping should be performed on output, not input!

What does it means exactly? Should I use xss_filtering manually as $data = $this->security->xss_clean($data);?

Thank in advance
Reply

#2
I think you're in the wrong forum. CI4 doesn't have xss_clean method. Instead it provides the esc() method to escape data in views.

But what it means is that you don't escape data when you get it from the user. Different contexts need different types of escaping. For example, escaping for safety within a database is different than for when it's viewed on a web page. Instead, escape it when you need to use it so you can choose the proper way to handle it.
Support Development  • Practical CodeIgniter 3  • Vulcan - CLI Tools for CI4
Reply

#3
(10-18-2018, 09:23 PM)kilishan Wrote: I think you're in the wrong forum. CI4 doesn't have xss_clean method. Instead it provides the esc() method to escape data in views.

But what it means is that you don't escape data when you get it from the user. Different contexts need different types of escaping. For example, escaping for safety within a database is different than for when it's viewed on a web page. Instead, escape it when you need to use it so you can choose the proper way to handle it.

Yes, I posted a topic in the wrong side of forum.

I am not English mother tongue, so, sometime I have doubts about best practice in Codeigniter.
I am developing a web app and my goal is keeping an high level of secutity.

Thank You anyway.

P.S. do you think is early developing apps with CI 4?
Reply


Digg   Delicious   Reddit   Facebook   Twitter   StumbleUpon  


  Theme © 2014 iAndrew  
Powered By MyBB, © 2002-2019 MyBB Group.