xss protection and html purifier

0
votes

I am currently using the CodeIgniter framework, and looking to strengthen the XSS protection by using HTMLPurifier (http://htmlpurifier.org/).

Is my understanding correct that you want to 'clean' data on post, so that its purified before its inserted into the Database? Or do I run it before displaying in the view?

If so, do I want to run HTMLPurifier on every single post that takes place? Since the app contains a lot of forms, I'd hate to have to selectively choose what gets cleaned and what doesnt - assuming that I can intercept all posts, is this the way to go? Of course, I validate some fields anyway (like email addresses, numeric numbers, etc)

1
codeigniterxsshtmlpurifier

1 Answers

0
votes

Use $this->input->post() to get $_POST data. Codeigniter filters it automatically if global xss filter is set to true.

See the docs: http://codeigniter.com/user_guide/libraries/input.html

Edit: to clarify

Yes you should filter before inserting into the DB and yes you should filter all user input.

A quick google search, http://www.google.com/search?q=codeigniter+htmlpurifier, led to this page: http://codeigniter.com/wiki/htmlpurifier which is a helper for htmlpurifier. Regarding catching all $_POST data: you have to do something with the data, right? In your models, when you're doing that something, just make purify() part of that process:

$postdata = purify($_POST);