As far as learned from my previous post, xss_clean will filter $this->input->post('text_url') after calling $this->form_validation->run(). The question is will it also filter $this->input->post('textarea_content') in callback function?
Thanks
$this->form_validation->set_rules('text_url', 'Website link', 'trim|xss_clean|callback_minimum_fields[' . $this->input->post('textarea_content') . ']');
$this->form_validation->run();
//Filtered
$text_url = $this->input->post('text_url');
//Filtered as well?
$textarea_content = $this->input->post('textarea_content');
CALLBACK
public function minimum_fields($url, $content)
{
if ($url == '' && $content == '')
{
$this->form_validation->set_message('minimum_fields', 'Please provide info for at least one of these: "Website link" and "Content".');
return false;
}
return true;
}
No, you didn’t set a “prepping” rule in your form validation. In fact, you haven’t validated the
textarea_contentfield at all.Besides that, you haven’t run the form validation at the time you set the rules, so passing any POST data into a callback function will be the original data.
Passing post data like that into a callback here, where the rules are just strings, is very dangerous and likely to break your script. Consider:
Those “rules” would be injected into your form validation rules, since in this context, it’s just a string. It might be better to have your callback read the postdata directly or to take another approach, but this is very unsafe. Even if you xss_clean it first, it doesn’t matter.
Once again, I urge you to spend more time understanding what XSS is and then decide if it makes any sense to worry about in this situation. XSS only occurs on output.