CodeIgniter: Apply XSS filter as mandatory

If you are kind of novelty in web programming, and you have no idea what the XSS is, now I tell you what it is : “It is one kind of web application security hole that make use of unsanitized input so the intruder can input some Javascript/HTML in it”. And is it big deal? Yes, of course, because if they can do that, The malicious user input will be interpreted as real Javascript/HTML tag and therefore it will be processed/executed when it is printed.

Thankfully, CodeIgniter as one of PHP Application Framework which still gaining user base has a capability to deal with it. It has a XSS filtering mechanism which could be implemented to sanitized user input from GET/POST/Cookie data. If you want to use that, you just need to open CodeIgniter configuration file /application/config/config.php and edit this line :

$config['global_xss_filtering'] = TRUE;  # It is FALSE by default

And now if some adversary do inputting something like <script>alert(0);</script> inside of one of your application’s input, It will converted to be [removed]alert(0);[removed] so that it won’t be interpreted as a Javascript.

But remember, stick with using $this->input->post("variable") or $this->input->get("variable") when you are dealing with user input. Forget about that thing you learnt in first-time PHP class ($_POST[] or $_GET[]).

Leave a Reply

Your email address will not be published. Required fields are marked *


*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Current ye@r *