Welcome Guest, Not a member yet? Register   Sign In
XSS Clean in CI4?
#1

Hello, community!

Im start to migrate my plataform to the CI4 and I doesn't find a important functions that I use on CI3 that is xss_clean on POST requisitions. In CI4 what is the similar functions as xss_clean or what is the recommendation to protect POST data?
Reply
#2

(This post was last modified: 01-28-2020, 11:59 AM by jreklund.)

XSS_clean should be conspired deprecated. That's a not a recommended practice to rely on. You should filter your inputs AND escape your outputs.

Input:
https://codeigniter4.github.io/userguide...ation.html
https://codeigniter4.github.io/userguide...ving-input "Filtering Input Data"

Output:
https://codeigniter4.github.io/userguide...aping-data
https://codeigniter4.github.io/userguide...g-contexts
Reply
#3

(01-28-2020, 12:55 AM)jreklund Wrote: XSS_clean should be conspired deprecated. That's a not a recommended practice to rely on. You should filter your inputs AND escape your outputs.

Input:
https://codeigniter4.github.io/userguide...ation.html
https://codeigniter4.github.io/userguide...ving-input "Filtering Input Data"

Output:
https://codeigniter4.github.io/userguide...aping-data
https://codeigniter4.github.io/userguide...g-contexts

Then the function esc and setVar need be impressed on view template or where for example?
Reply
#4

(This post was last modified: 01-28-2020, 12:33 PM by jreklund.)

Input are in your controller*. Output are in your view.

*setVar are called in your controller.
Reply
#5

(01-28-2020, 12:32 PM)jreklund Wrote: Input are in your controller*. Output are in your view.

*setVar are called in your controller.

Sorry me, but let me ask showing an example:

In CI3 I clean the post with this method:
$post = $this->security->xss_clean($this->input->post(NULL, TRUE));

This means that all post received by the controller will pass by xss_clean. How I can do something like this on CI4?
Reply
#6

(01-28-2020, 01:05 PM)ajmeireles Wrote: Sorry me, but let me ask showing an example:

In CI3 I clean the post with this method:
$post = $this->security->xss_clean($this->input->post(NULL, TRUE));

This means that all post received by the controller will pass by xss_clean. How I can do something like this on CI4?

There is no xss_clean function for CI4 because that is the wrong way to prevent XSS.

Here's some reading that may explain why the old CI approach is wrong and what you should do instead.

Read the accepted answer to a similar question here.

A readable and reasonably comprehensive blog post.

The very in-depth and astute post Everything You Need to Know About Preventing Cross-Site Scripting Vulnerabilities in PHP
Reply




Theme © iAndrew 2016 - Forum software by © MyBB