Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
I’m working on a CMS in Codeigniter and I’m currently setting up some validation rules for all my fields.
I have XSS filtering and CSRF protection enabled. I’m also using active records.
The content field allows HTML characters but I don’t want JS/PHP code to execute (XSS filtering will prevent this?).
With the protections I currently have set up, is there anything I’m still susceptible to? What precautions should I take? What validation rules should I be employing?
CI’s XSS filter misses Javascript events when they are not inside script tags. I don’t suggest that you turn off the filter, but additionally you should encode the data, at least with the PHP built-in functions, right after input, and decode right before output.