How to avoid double-escaping and keep safe from xss using the set_value fonction in codeigniter The Next CEO of Stack OverflowDo htmlspecialchars and mysql_real_escape_string keep my PHP code safe from injection?Is $_SERVER['QUERY_STRING'] safe from XSS?Why escape & to avoid XSSIs jQuery's $ safe from XSS?How to avoid xss atack in php codeigniterAvoiding HTML-escape in XSSHow to avoid XSS attackxss bypassing angle brackets and double quotes escapingXSS: How is this safe?Escaping characters to avoid XSS in Java
How do I make a variable always equal to the result of some calculations?
Why is the US ranked as #45 in Press Freedom ratings, despite its extremely permissive free speech laws?
What flight has the highest ratio of time difference to flight time?
Why didn't Khan get resurrected in the Genesis Explosion?
What connection does MS Office have to Netscape Navigator?
Bold, vivid family
Why am I allowed to create multiple unique pointers from a single object?
Why has the US not been more assertive in confronting Russia in recent years?
Why do professional authors make "consistency" mistakes? And how to avoid them?
In excess I'm lethal
To not tell, not take, and not want
Is there a way to save my career from absolute disaster?
What does "Its cash flow is deeply negative" mean?
If/When UK leaves the EU, can a future goverment conduct a referendum to join the EU?
Unreliable Magic - Is it worth it?
Novel about a guy who is possessed by the divine essence and the world ends?
How did the Bene Gesserit know how to make a Kwisatz Haderach?
If the heap is initialized for security, then why is the stack uninitialized?
Example of a Mathematician/Physicist whose Other Publications during their PhD eclipsed their PhD Thesis
How do I transpose the 1st and -1th levels of an arbitrarily nested array?
Calculus II Question
Is it ever safe to open a suspicious html file (e.g. email attachment)?
What exact does MIB represent in SNMP? How is it different from OID?
How do I go from 300 unfinished/half written blog posts, to published posts?
How to avoid double-escaping and keep safe from xss using the set_value fonction in codeigniter
The Next CEO of Stack OverflowDo htmlspecialchars and mysql_real_escape_string keep my PHP code safe from injection?Is $_SERVER['QUERY_STRING'] safe from XSS?Why escape & to avoid XSSIs jQuery's $ safe from XSS?How to avoid xss atack in php codeigniterAvoiding HTML-escape in XSSHow to avoid XSS attackxss bypassing angle brackets and double quotes escapingXSS: How is this safe?Escaping characters to avoid XSS in Java
Hi and thanks for reading.
I work on CodeIgniter 3 with PHP 7.0, and use forms with the form_helper.
First I had problems to re-populate the form with the set_value function, after using the form_validation library in my controller. I was using the set_value in my form_helper like this :
$my_input = array(
'name' => 'my_name',
'value' => set_value('my_name')
);
echo form_label('Title :');
echo form_textarea($my_input);
So with some text like this :
she's the chief's lady
The form was re-populated like this :
she's the chief's lady
It's not a big problem, because when I register this data and fill in a field, in HTML it will produice the right sentence.
BUT if there is another mistake in the form, then the sentence will be register like this :
she's the chief's lady
and now my data is not right anymore.
So I read the CodeIgniter's DOC and found this :
The third (optional) parameter allows you to turn off HTML escaping of
the value, in case you need to use this function in combination with
i.e. form_input() and avoid double-escaping.
So great, I solved my escaping problem. But what about xss injection ? This practice seems very dangerous, I don't understand why it's the best way, if I trust the CodeIgniter's DOC (I made a quick test with an alert script and the security failled). So :
1) What's the best way to keep safe, and to avoid escaping when I have to re-populate a form ???
2) The only person seeing the evil input is the one who has written it, but is it still dangerous for my web application or not ???
3) And if there's no danger when re-populate a form with the data sent, why do we need to set the escaping parameter to FALSE in set_value() ? Why the default value is not set to FALSE ?
EDIT : I added the 2 last questions
php codeigniter-3 xss
asked Mar 8 at 14:29
Benoit PouxBenoit Poux
285
add a comment |
Hi and thanks for reading.
I work on CodeIgniter 3 with PHP 7.0, and use forms with the form_helper.
First I had problems to re-populate the form with the set_value function, after using the form_validation library in my controller. I was using the set_value in my form_helper like this :
$my_input = array(
'name' => 'my_name',
'value' => set_value('my_name')
);
echo form_label('Title :');
echo form_textarea($my_input);
So with some text like this :
she's the chief's lady
The form was re-populated like this :
she's the chief's lady
It's not a big problem, because when I register this data and fill in a field, in HTML it will produice the right sentence.
BUT if there is another mistake in the form, then the sentence will be register like this :
she's the chief's lady
and now my data is not right anymore.
So I read the CodeIgniter's DOC and found this :
The third (optional) parameter allows you to turn off HTML escaping of
the value, in case you need to use this function in combination with
i.e. form_input() and avoid double-escaping.
So great, I solved my escaping problem. But what about xss injection ? This practice seems very dangerous, I don't understand why it's the best way, if I trust the CodeIgniter's DOC (I made a quick test with an alert script and the security failled). So :
1) What's the best way to keep safe, and to avoid escaping when I have to re-populate a form ???
2) The only person seeing the evil input is the one who has written it, but is it still dangerous for my web application or not ???
3) And if there's no danger when re-populate a form with the data sent, why do we need to set the escaping parameter to FALSE in set_value() ? Why the default value is not set to FALSE ?
EDIT : I added the 2 last questions
php codeigniter-3 xss
asked Mar 8 at 14:29
Benoit PouxBenoit Poux
285
add a comment |
Hi and thanks for reading.
I work on CodeIgniter 3 with PHP 7.0, and use forms with the form_helper.
First I had problems to re-populate the form with the set_value function, after using the form_validation library in my controller. I was using the set_value in my form_helper like this :
$my_input = array(
'name' => 'my_name',
'value' => set_value('my_name')
);
echo form_label('Title :');
echo form_textarea($my_input);
So with some text like this :
she's the chief's lady
The form was re-populated like this :
she's the chief's lady
It's not a big problem, because when I register this data and fill in a field, in HTML it will produice the right sentence.
BUT if there is another mistake in the form, then the sentence will be register like this :
she's the chief's lady
and now my data is not right anymore.
So I read the CodeIgniter's DOC and found this :
The third (optional) parameter allows you to turn off HTML escaping of
the value, in case you need to use this function in combination with
i.e. form_input() and avoid double-escaping.
So great, I solved my escaping problem. But what about xss injection ? This practice seems very dangerous, I don't understand why it's the best way, if I trust the CodeIgniter's DOC (I made a quick test with an alert script and the security failled). So :
1) What's the best way to keep safe, and to avoid escaping when I have to re-populate a form ???
2) The only person seeing the evil input is the one who has written it, but is it still dangerous for my web application or not ???
3) And if there's no danger when re-populate a form with the data sent, why do we need to set the escaping parameter to FALSE in set_value() ? Why the default value is not set to FALSE ?
EDIT : I added the 2 last questions
php codeigniter-3 xss
asked Mar 8 at 14:29
Benoit PouxBenoit Poux
285
Hi and thanks for reading.
I work on CodeIgniter 3 with PHP 7.0, and use forms with the form_helper.
First I had problems to re-populate the form with the set_value function, after using the form_validation library in my controller. I was using the set_value in my form_helper like this :
$my_input = array(
'name' => 'my_name',
'value' => set_value('my_name')
);
echo form_label('Title :');
echo form_textarea($my_input);
So with some text like this :
she's the chief's lady
The form was re-populated like this :
she's the chief's lady
It's not a big problem, because when I register this data and fill in a field, in HTML it will produice the right sentence.
BUT if there is another mistake in the form, then the sentence will be register like this :
she's the chief's lady
and now my data is not right anymore.
So I read the CodeIgniter's DOC and found this :
The third (optional) parameter allows you to turn off HTML escaping of
the value, in case you need to use this function in combination with
i.e. form_input() and avoid double-escaping.
So great, I solved my escaping problem. But what about xss injection ? This practice seems very dangerous, I don't understand why it's the best way, if I trust the CodeIgniter's DOC (I made a quick test with an alert script and the security failled). So :
1) What's the best way to keep safe, and to avoid escaping when I have to re-populate a form ???
2) The only person seeing the evil input is the one who has written it, but is it still dangerous for my web application or not ???
3) And if there's no danger when re-populate a form with the data sent, why do we need to set the escaping parameter to FALSE in set_value() ? Why the default value is not set to FALSE ?
EDIT : I added the 2 last questions
php codeigniter-3 xss
php codeigniter-3 xss
asked Mar 8 at 14:29
Benoit PouxBenoit Poux
285
asked Mar 8 at 14:29
Benoit PouxBenoit Poux
285
edited Mar 11 at 7:49
Benoit Poux
asked Mar 8 at 14:29
Benoit PouxBenoit Poux
285
asked Mar 8 at 14:29
Benoit PouxBenoit Poux
285
asked Mar 8 at 14:29
Benoit PouxBenoit Poux
285
285
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
CodeIgniter will safely prevent SQL injection when anything goes into its models. As you’re just displaying the result in the browser, there’s not an injection risk as all you’re doing is displaying what they’ve written back to them.
But, you have a good point about JavaScript, or another tag. Assuming that the only person that can get to the input box is the author of its contents, and that you are escaping the results of it when it’s viewed by other people, then the only person they can ever produce an alert box (or worse) for is themselves, which of course they can do anyway in the console.
If you were still worried, you could always use PHP’s strip_tags() on this field.
answered Mar 8 at 14:38
Thomas EdwardsThomas Edwards
7,69531433
So if I understood well, it's not dangerous for the application and the end-users, because it affects only the author of the bad content !? That's all I want to know, thanks for you answer ;) PS : interesting function strip_tags(), but not 100% safe so I prefer something like HTML Purifier.
– Benoit Poux
Mar 8 at 15:54
I though about what you said, and I have another question : If there's no danger when re-populate a form with the data sent, why do we need to set the escaping parameter to FALSE in set_value() ? Why the default value is not set to FALSE ? And to be sure, could you confirm this fact please ? The only person seeing the evil input is the one who has written it, but is it still dangerous for my web application or not ??? Thanks @Thomas Edwards
– Benoit Poux
Mar 11 at 8:00
add a comment |
Your Answer
StackExchange.ifUsing("editor", function ()
StackExchange.using("externalEditor", function ()
StackExchange.using("snippets", function ()
StackExchange.snippets.init();
);
);
, "code-snippets");
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "1"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f55065258%2fhow-to-avoid-double-escaping-and-keep-safe-from-xss-using-the-set-value-fonction%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
CodeIgniter will safely prevent SQL injection when anything goes into its models. As you’re just displaying the result in the browser, there’s not an injection risk as all you’re doing is displaying what they’ve written back to them.
But, you have a good point about JavaScript, or another tag. Assuming that the only person that can get to the input box is the author of its contents, and that you are escaping the results of it when it’s viewed by other people, then the only person they can ever produce an alert box (or worse) for is themselves, which of course they can do anyway in the console.
If you were still worried, you could always use PHP’s strip_tags() on this field.
answered Mar 8 at 14:38
Thomas EdwardsThomas Edwards
7,69531433
So if I understood well, it's not dangerous for the application and the end-users, because it affects only the author of the bad content !? That's all I want to know, thanks for you answer ;) PS : interesting function strip_tags(), but not 100% safe so I prefer something like HTML Purifier.
– Benoit Poux
Mar 8 at 15:54
I though about what you said, and I have another question : If there's no danger when re-populate a form with the data sent, why do we need to set the escaping parameter to FALSE in set_value() ? Why the default value is not set to FALSE ? And to be sure, could you confirm this fact please ? The only person seeing the evil input is the one who has written it, but is it still dangerous for my web application or not ??? Thanks @Thomas Edwards
– Benoit Poux
Mar 11 at 8:00
add a comment |
CodeIgniter will safely prevent SQL injection when anything goes into its models. As you’re just displaying the result in the browser, there’s not an injection risk as all you’re doing is displaying what they’ve written back to them.
But, you have a good point about JavaScript, or another tag. Assuming that the only person that can get to the input box is the author of its contents, and that you are escaping the results of it when it’s viewed by other people, then the only person they can ever produce an alert box (or worse) for is themselves, which of course they can do anyway in the console.
If you were still worried, you could always use PHP’s strip_tags() on this field.
answered Mar 8 at 14:38
Thomas EdwardsThomas Edwards
7,69531433
So if I understood well, it's not dangerous for the application and the end-users, because it affects only the author of the bad content !? That's all I want to know, thanks for you answer ;) PS : interesting function strip_tags(), but not 100% safe so I prefer something like HTML Purifier.
– Benoit Poux
Mar 8 at 15:54
I though about what you said, and I have another question : If there's no danger when re-populate a form with the data sent, why do we need to set the escaping parameter to FALSE in set_value() ? Why the default value is not set to FALSE ? And to be sure, could you confirm this fact please ? The only person seeing the evil input is the one who has written it, but is it still dangerous for my web application or not ??? Thanks @Thomas Edwards
– Benoit Poux
Mar 11 at 8:00
add a comment |
CodeIgniter will safely prevent SQL injection when anything goes into its models. As you’re just displaying the result in the browser, there’s not an injection risk as all you’re doing is displaying what they’ve written back to them.
But, you have a good point about JavaScript, or another tag. Assuming that the only person that can get to the input box is the author of its contents, and that you are escaping the results of it when it’s viewed by other people, then the only person they can ever produce an alert box (or worse) for is themselves, which of course they can do anyway in the console.
If you were still worried, you could always use PHP’s strip_tags() on this field.
answered Mar 8 at 14:38
Thomas EdwardsThomas Edwards
7,69531433
CodeIgniter will safely prevent SQL injection when anything goes into its models. As you’re just displaying the result in the browser, there’s not an injection risk as all you’re doing is displaying what they’ve written back to them.
But, you have a good point about JavaScript, or another tag. Assuming that the only person that can get to the input box is the author of its contents, and that you are escaping the results of it when it’s viewed by other people, then the only person they can ever produce an alert box (or worse) for is themselves, which of course they can do anyway in the console.
If you were still worried, you could always use PHP’s strip_tags() on this field.
answered Mar 8 at 14:38
Thomas EdwardsThomas Edwards
7,69531433
answered Mar 8 at 14:38
Thomas EdwardsThomas Edwards
7,69531433
answered Mar 8 at 14:38
Thomas EdwardsThomas Edwards
7,69531433
answered Mar 8 at 14:38
Thomas EdwardsThomas Edwards
7,69531433
7,69531433
So if I understood well, it's not dangerous for the application and the end-users, because it affects only the author of the bad content !? That's all I want to know, thanks for you answer ;) PS : interesting function strip_tags(), but not 100% safe so I prefer something like HTML Purifier.
– Benoit Poux
Mar 8 at 15:54
I though about what you said, and I have another question : If there's no danger when re-populate a form with the data sent, why do we need to set the escaping parameter to FALSE in set_value() ? Why the default value is not set to FALSE ? And to be sure, could you confirm this fact please ? The only person seeing the evil input is the one who has written it, but is it still dangerous for my web application or not ??? Thanks @Thomas Edwards
– Benoit Poux
Mar 11 at 8:00
add a comment |
So if I understood well, it's not dangerous for the application and the end-users, because it affects only the author of the bad content !? That's all I want to know, thanks for you answer ;) PS : interesting function strip_tags(), but not 100% safe so I prefer something like HTML Purifier.
– Benoit Poux
Mar 8 at 15:54
I though about what you said, and I have another question : If there's no danger when re-populate a form with the data sent, why do we need to set the escaping parameter to FALSE in set_value() ? Why the default value is not set to FALSE ? And to be sure, could you confirm this fact please ? The only person seeing the evil input is the one who has written it, but is it still dangerous for my web application or not ??? Thanks @Thomas Edwards
– Benoit Poux
Mar 11 at 8:00
So if I understood well, it's not dangerous for the application and the end-users, because it affects only the author of the bad content !? That's all I want to know, thanks for you answer ;) PS : interesting function strip_tags(), but not 100% safe so I prefer something like HTML Purifier.
– Benoit Poux
Mar 8 at 15:54
So if I understood well, it's not dangerous for the application and the end-users, because it affects only the author of the bad content !? That's all I want to know, thanks for you answer ;) PS : interesting function strip_tags(), but not 100% safe so I prefer something like HTML Purifier.
– Benoit Poux
Mar 8 at 15:54
I though about what you said, and I have another question : If there's no danger when re-populate a form with the data sent, why do we need to set the escaping parameter to FALSE in set_value() ? Why the default value is not set to FALSE ? And to be sure, could you confirm this fact please ? The only person seeing the evil input is the one who has written it, but is it still dangerous for my web application or not ??? Thanks @Thomas Edwards
– Benoit Poux
Mar 11 at 8:00
I though about what you said, and I have another question : If there's no danger when re-populate a form with the data sent, why do we need to set the escaping parameter to FALSE in set_value() ? Why the default value is not set to FALSE ? And to be sure, could you confirm this fact please ? The only person seeing the evil input is the one who has written it, but is it still dangerous for my web application or not ??? Thanks @Thomas Edwards
– Benoit Poux
Mar 11 at 8:00
add a comment |
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f55065258%2fhow-to-avoid-double-escaping-and-keep-safe-from-xss-using-the-set-value-fonction%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
