Geril
Reputation: 105
Codeigniter session xss filtering
does it makes any sense to check if user's session item is xss clean?
Something like this:
$item = $this->security->xss_clean($this->session->item);
Is there any possibility that session can contain any harmful code?
Upvotes: 1
Views: 174
Answers (1)
randrade86
Reputation: 346
Short answer: Yes.
If $this->session->item is populated by a malicious user (e.g. some input textbox or fake $_POSTdata ) then it is vulnerable to harmful code.
Even if this session variable is really stored in your session, it could be inserted in a database, for example.
Upvotes: 2
Related Questions
- Are PDO prepared statements sufficient to prevent SQL injection?
- Invalidating JSON Web Tokens
- Reference Guide: What does this symbol mean in PHP? (PHP Syntax)
- Secure hash and salt for PHP passwords
- How do I expire a PHP session after 30 minutes?
- How does PHP 'foreach' actually work?
- What are sessions? How do they work?
- Do sessions really violate RESTfulness?
- SQL injection that gets around mysql_real_escape_string()
- How should I ethically approach user password storage for later plaintext retrieval?