What is the security aspects should be considered when using editor in codeigniter?

Question

I'm using nice editor for editor in my project and public user can use the editor for imputing their data. Here in server side, i'm taking value and after printing in view also directly.

So I am afraid about security aspects and could you please explain which area should be careful? My code given below:

controller:

$desc = $this->input->post('desc', TRUE);

view:

echo $desc;

Answer 1

In general you are safe when using the included CI's security class. Just make sure you are using the TRUE flag on every input->post you do or you have enabled XSS filtering in your config file. $config['global_xss_filtering'] = TRUE;

Taken from CI's documentation:

CodeIgniter comes with a Cross Site Scripting Hack prevention filter which can either run automatically to filter all POST and COOKIE data that is encountered, or you can run it on a per item basis. By default it does not run globally since it requires a bit of processing overhead, and since you may not need it in all cases.

The XSS filter looks for commonly used techniques to trigger Javascript or other types of code that attempt to hijack cookies or do other malicious things. If anything disallowed is encountered it is rendered safe by converting the data to character entities.

For added security against Cross-site request forgery (CSRF) you can enable CI's CSRF protection as well. This will provide your html forms (when you use form_open()) with an additional input with a token for protection in your application.

Of course you should never trust user input and you may want to use another layer of security on your inputs depending the use of your application. You can try using htmlentities() just to be more sure that no malicious javascript will get saved to your database or shown to your visitors.