• 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
is xss_clean still a good practice to validate form

#1
Hello,

I'm using CodeIgniter 3.1.11, and in order to validate a form against xss, I use something like that:

$this->form_validation->set_rules('first_name', 'First Name', 'trim|required|xss_clean');

in the autoload.php, I load the security helper:

$autoload['helper'] = array('url', 'form', 'security');

I checked on the doc online, but I didn't see the xss_clean in the form_validation section:
https://codeigniter.com/user_guide/libra...ation.html

I found some solutions online that using this practice: xss_clean but the solutions are pretty old, from 2015...
I said maybe this option is deprecated,

Thank You for help
Reply

#2
This is usually not used on forms I am using: html_escape() in views and in database queries: escape()
Reply

#3
There isn't an "xss_clean" rule in CI v3 like there was in previous versions. You should remove that from your rules. You will probably find this comment in the Upgrading from 2.2x to 3.0.x instructions to be very interesting.

CI v3 has  an xss_clean() function in the Security Class. And there is the same function in the security helper. (It actually calls the Security class method.)

Also, check out the Input Class which makes it easy to run POST and GET data through the xss_clean function.

But you really ought to do some research on what is considered best practice for avoiding XSS attacks. The xss_clean function isn't really viable these days.
Reply

#4
Here is a good read on it by Google.

Google Application Security - Cross-site scripting
What did you Try? What did you Get? What did you Expect?

Joined CodeIgniter Community 2009.  ( Skype: insitfx )
Reply


Digg   Delicious   Reddit   Facebook   Twitter   StumbleUpon  


  Theme © 2014 iAndrew  
Powered By MyBB, © 2002-2019 MyBB Group.