Codeigniter XSS验证 [英] codeigniter xss validation

问题描述

在CI 用户指南中，它说以下是所有可用的准备功能：

In CI userguide it says "The following is a list of all the prepping functions that are available to use:"

xss_clean = 通过XSS过滤功能运行数据...。 。

我的代码中的注释是我的问题。请阅读。

Comments in my code has my question. Please read.

注意：不希望在全球启用xss ！！！！

Note: Not interested enabling xss globally!!!

预先感谢

$this->form_validation->set_rules('select_language', 'Language', 'trim|required|xss_clean');

//Has this been cleaned above while validating and ready to be used or ...
$language = $this->input->post('text_fullname');

//... do I have to add true to run the data through the XSS filtering again myslef?
$language = $this->input->post('text_fullname', true);

推荐答案

在您实际使用之前，帖子数据不会被过滤运行表单验证。

The post data won't be filtered until you actually run the form validation.

$this->form_validation->set_rules(
    'select_language',
    'Language',
    'trim|required|xss_clean'
);

// Unaltered $_POST input
$this->input->post('select_language');

$this->form_validation->run();

// Trimmed and xss_cleaned
$this->input->post('select_language');

在旁边：在我看来，在输出，而不是输入。例如，如果在将来的版本中对xss过滤器进行了改进，则您想利用它吗？如果仅过滤输入，则在输出上不再次运行xss_clean函数 是不可能的，这违背了将其用作表单验证规则的目的。

Aside: In my opinion, xss filtering makes more sense to use where it actually matters, on output, not input. For example, if the xss filter is improved in a future release, you would want to take advantage of it right? If you filter input only, it would be impossible without running the xss_clean function again on your output, which defeats the purpose of using it as a form validation rule.

这篇关于Codeigniter XSS验证的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！