Codeigniter XSS验证 [英] codeigniter xss validation
问题描述
在CI 用户指南中,它说以下是所有可用的准备功能:
In CI userguide it says "The following is a list of all the prepping functions that are available to use:"
xss_clean = 通过XSS过滤功能运行数据...。 。
我的代码中的注释是我的问题。请阅读。
Comments in my code has my question. Please read.
注意:不希望在全球启用xss !!!!
Note: Not interested enabling xss globally!!!
预先感谢
$this->form_validation->set_rules('select_language', 'Language', 'trim|required|xss_clean');
//Has this been cleaned above while validating and ready to be used or ...
$language = $this->input->post('text_fullname');
//... do I have to add true to run the data through the XSS filtering again myslef?
$language = $this->input->post('text_fullname', true);
推荐答案
在您实际使用之前,帖子数据不会被过滤运行表单验证。
The post data won't be filtered until you actually run the form validation.
$this->form_validation->set_rules(
'select_language',
'Language',
'trim|required|xss_clean'
);
// Unaltered $_POST input
$this->input->post('select_language');
$this->form_validation->run();
// Trimmed and xss_cleaned
$this->input->post('select_language');
在旁边:在我看来,在输出,而不是输入。例如,如果在将来的版本中对xss过滤器进行了改进,则您想利用它吗?如果仅过滤输入,则在输出上不再次运行xss_clean函数 是不可能的,这违背了将其用作表单验证规则的目的。
Aside: In my opinion, xss filtering makes more sense to use where it actually matters, on output, not input. For example, if the xss filter is improved in a future release, you would want to take advantage of it right? If you filter input only, it would be impossible without running the xss_clean function again on your output, which defeats the purpose of using it as a form validation rule.
这篇关于Codeigniter XSS验证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!