Reputation: 3271
Does using CodeIgniter's XSS filtering avoid the need to escape when outputting?
CodeIgniter provides a couple of convenient APIs for XSS filtering.
- 'global_xss_filtering' in config.php.
- 'xss_clean' rule for individual fields, when using the form validation library.
If you use this feature, does it avoid the need to escape fields when outputting them?
Upvotes: 1
Views: 182
Answers (1)
Reputation: 3271
There are some situations where xss_clean will not protect you. Issue 470 includes this example:
public function index()
{
$name = $this->security->xss_clean('hover me" onmouseover=alert("XSS2") "');
echo '</div>Name:<input value="'.$name.'">';
echo '</body></html>';
}
The response from developers was that this is by design, and to suggest that $name should have been escaped using form_prep().
If you use set_value('field-name', 'default') in order to preserve user input when a form fails validation), that will ... attempt to call form_prep() for you. The caveat is that if you don't have the form validation library loaded, it won't escape the 'default' parameter. (Issue 1781, fixed in 3.0-dev).
If you are running the current 3.0-dev, then form_prep() is more specific about which characters it escapes. It should avoid XSS either way; it just has unexpected results in some situations. E.g. if you try to enter a literal "&" in 3.0-dev, and then the form fails validation, the field value will change to & without warning. This change was an attempt to work around problems with double-escaping (issue 1953).
Upvotes: 4
Related Questions
- CodeIgniter - why use xss_clean
- How does Codeigniter handle escaping output?
- Codeigniter 3 - XSS Filtering
- Is content within code HTML tags XSS vulnerable?
- Codeigniter global_xss_filtering
- does XSS filtering in codeigniter doesn't prevent SQL injections?
- Disabling codeigniter xss filtering or running over it
- Is htmlspecialchars() required on ALL output?
- How to XSS filtering variable?
- Why doesn't CodeIgniter's XSS filter clean all?