I am working with code someone else build. I see xss active in config:
global_xss_filtering = TRUE
I see also this is deprecated. I also found in Input class:
$this->_enable_xss = (config_item('global_xss_filtering') === TRUE);
is_bool($xss_clean) OR $xss_clean = $this->_enable_xss;
This means if activate "global_xss_filtering" in config, even if I turn off xss on input->post, it will apply xss filtering.
This means I have to turn it off on config and use
$this->securit->xss_clean($this->input->post())
My Questions are the following:
If no XSS applied through $this->input->post('variable'), which are other advantages of using this and not $_POST?
Which is the correct way to do XSS filtering in Codeigniter 3?
Thanks in advance.
Which is the correct way to do XSS filtering in Codeigniter 3?
The current consensus in the development community seems to be that XSS filtering should be done at output instead of input. There are strong arguments and supporters for both input and output filter though.
It is a large and somewhat complex topic. Find more than you wanted to know at
https://www.dwheeler.com/secure-programs/Secure-Programs-HOWTO/cross-site-malicious-content.html
and
https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#Introduction
and
https://paragonie.com/blog/2015/06/preventing-xss-vulnerabilities-in-php-everything-you-need-know
After reading and comprehending all of that you may find that preventing XSS requires a lot of thought and work during both input and output.
Many people recommend not using Codeigniter's XSS functionality and opt for something like HTML Purifier instead.
If no XSS applied through $this->input->post('variable'), which are other advantages of using this and not $_POST?
The primary advantage of using $this->input->post('variable') is that it will check that the index ('variable") exists in $_POST. To use $_POST directly you really should make sure the array has that index.
if(isset($_POST['variable'])
{
// do stuff with $_POST['variable']
...
}
Without the isset test you run the risk of fatal runtime errors. So using $this->input->post('variable') removes the tedium of continually building that if block
On project http://conferience.com that I worked before 2 years we use(d) to html purifier prevent xss atacks. Also when a plaintext input needed then we just striped any html string using php's native strip_tags method.
Therefore we set the following setting:
$global_xss_filtering = FALSE
And used manual handling on $_POST['something']/$this->input->post('something') inputs.
Related
I'm working with a component bitrix:catalog (which is standard one) and faced an issue. I want to add some extra GET parameters to switch view mode. I think there is no need to rewrite whole component to make such switcher, so I added extra keys in result_modifier in a way similar to:
$this->__component->arResultCacheKeys = array_merge($this->__component->arResultCacheKeys, array('key1', "key2"));
Earlier in the same result_modifier I perform adding those extra keys in $arResult['key1'] etc. They seem to be correctly saved, but only for current inquiry such as ?view=list or view=card, that means only one variable value is saved and it does not react on changing of GET parameter. Is there simple and correct way to make that component to cache and to output data based on GET variable? The only idea which came to my mind is to rewrite component by adding extra parameter and checking of GET, but I think there must more simple and correct solution to make in via template. Human Readable Links are turned on. And I want to have auto-cash being turned on as well. If I turn it off it starts working as planned.
One of possible solutions is to rewrite it cache by SetTemplateCachedData but it still seems to me rough and incorrect way for such simple task.
Bitrix masters please help me to find correct solution, google can't help at the moment.
If you use standard bitrix:catalog component, you may be use standart bitrix:catalog.section. In that component.php used standart component cache.
That means you can describe additional parametr in you custom .parameters.php, and set it in bitrix:catalog.section params.
Standart component cache set cacheId based on arParams.
So you include component should look like this:
$APPLICATION->IncludeComponent(
"bitrix:catalog.section",
"",
array(
"IBLOCK_TYPE" => $arParams["IBLOCK_TYPE"],
"IBLOCK_ID" => $arParams["IBLOCK_ID"],
"ELEMENT_SORT_FIELD" => $arParams["ELEMENT_SORT_FIELD"],
"ELEMENT_SORT_ORDER" => $arParams["ELEMENT_SORT_ORDER"],
....
....
"NEW_ADDITIONAL_GET_PARAMS"=> $_GET['view']
),
$component
);
Of course better way somethink like
"NEW_ADDITIONAL_GET_PARAMS"=> (in_array($_GET['view'],array('list','card'))?$_GET['view']:'list')
But may be you need just set right catalog params: SEF_MODE SEF_FOLDER SEF_URL_TEMPLATES
I am using code Igniter for my PHP project. I want to give provision in my site such that users can create new pages of their own, and access them directly from domain.com/their_page_name.
But, my developers have raised a concern that, 1000's of dynamic links that are presented in the format of domain.com/ is "not good for site's performance". For some 10-15 pages, it is fine. But, beyond that, it would effect the site's performance.
So, they proposed that the URL format should be like www.domain.com/something/page_name (here, 'something' is the controller name, as they mentioned it)
But, I really can't sacrifice my framework nor my requirement.
Is there any way that I can achieve the format of "www.domain.com/page_name" without effecting the site's performance?
Thanks in advance.
No issues on
Www.domain.com\userpagename.
It's not a framework issues. Codeigniter support this type of URL.you can create n no of URL.
Performance will matter how you are handling that particular controller or that particular function.
If may be 10 may be 100 ,work around same way.
You just have to put route accordingly.
$route[default_controller]=userurl;
$route[userurl/(:any)]=userurl yourfunction/$1`;
What it seems you need is dynamic controller, which can be done using Codeigniter's build in function _remap().
A code example is:
public function _remap($method){
if($method != null){
$this->yourFunction($method);
} else {
// handle the error as you like
}
}
public function yourFunction($key){
// your code logic here
}
All this code block goes inside your controller.
Edit: the performance is exactlu the same as going with domain.com/controller/method. What it matters, as stated above, is how you handle the data.
I am trying to support case-insensitive ordering in my Spring MVC app when users click on the column headings on my web page. When the page is rendered a Thymeleaf extension creates an anchor and the href is the current URL with some parameters supported by Pageable: i.e. page, size and sort.
The sort=propertyName,ASC format works fine, but I can't find out how to say that the sort should be case-insensitive from the URL. I can do it in code easily enough but the standard Pageable support doesn't seem to support it.
After some debugging it appears that the standard framework org.springframework.data.web.SortHandlerMethodArgumentResolver just doesn't have any support for org.springframework.data.domain.Sort.Order.ignoreCase.
I'm somewhat bemused about this, and am wondering if there's a good reason why?
I can look into creating my own SortHandlerMethodArgumentResolver class, and make it parse ASCI|DESCI (to mean case-insensitive), and ASCS|DESCS (to mean case-sensitive) and produce the appropriate Sort object, but this strikes me as quite a bit of work and a serious "code smell".
I can't be the first person to stumble across this. Does anyone have any advice?
I think the only option is to implement your custom SortHandlerMethodArgumentResolver. The documentation has brief guideline for this http://docs.spring.io/spring-data/data-commons/docs/1.6.1.RELEASE/reference/html/repositories.html
To customize this behavior extend either SpringDataWebConfiguration or
the HATEOAS-enabled equivalent and override the pageableResolver() or
sortResolver() methods and import your customized configuration file
instead of using the #Enable-annotation.
For the format I would make it a comma-separated string of 3 elements: field name, direction, ignoreCase flag. Something like this:
sort=name,ASC,ignore
The last element is optional so it's possible to have:
sort=name,ASC
which would mean that ignoreCase is false.
Also it should be possible to specify only field name like:
sort=name
which would mean the default direction of ASC and ignoreCase is false.
The only issue is if you want to pass ignoreCase flag you must pass the direction which should not be a big problem I think.
Hope this helps!
Btw here is a JIRA item for this improvement https://jira.spring.io/browse/DATACMNS-658 (Extend SortHandlerMethodArgument resolver to be able to detect the request for ignore-case)
If somebody is using Spring Data Commons 2.3 RC1 or later and looking for query params, use following. (Ignore case in sorting is available out of the box in Spring Data Commons 2.3 RC1 and later)
sort=name,ASC,ignorecase
I have a question about this query, does codeigniter prevent SQL injection when we use this query:
$this->db->like();
$query = $this->db->get();
Despite lolipaps bad attitude may as well offer an answer that actually responds to this code.
First off, this will never work so the question of whether it prevents SQL injection is moot. In order to actually get anything back from this you would need to define both the like conditions and the table from which to perform the get. eg
$this->db->like('field','string');
$this->db->get('table');
Additionally it can never be vulnerable to SQL injection as in the example code (the code we are supposed to help support) there are no arguments passed. If the code was even close to being a viable real world example it might look like this
$some_input=$this->input->post('something_from_the_outside_world');
$this->db->like('field',$some_input); //maybe the question is whether this is sanitized??
$this->db->get('table');
If the question is whether this input is sanitized for SQL injection then the answer is yes of course it is or what's the point of the Active Record class.
If you want to further clean this for cross site scripting you either need to define this in the config.php file. eg
$config['global_xss_filtering'] = TRUE;
Or use the form validation library and run the rule xss_clean
I understand that CI is mostly URL segment based, but I want to have a query string: blahblah.com/search.html?q=keyword
When I try $this->input->get( "q" ), it returns empty. Is there a route or something I need to configure?
Why not make it http://mysite.com/search/keyword/
You have to enable query strings
CodeIgniter optionally supports this capability, which can be enabled in your application/config.php file. If you open your config file you'll see these items:
$config['enable_query_strings'] =
FALSE;$config['controller_trigger'] =
'c'; $config['function_trigger'] =
'm';
If you change "enable_query_strings" to TRUE this feature will become active. Your controllers and functions will then be accessible using the "trigger" words you've set to invoke your controllers and methods:
index.php?c=controller&m=method
Example: index.php?c=products&m=view&id=345
http://codeigniter.com/user_guide/general/urls.html
The best way to get query strings working in CodeIgniter is to use Google. This question is asked (and answered) on the forums, here and on twitter at least 10 times a day.
There are a few methods, but recently I am a fan of the following method:
http://www.dijexi.com/2009/08/how-to-mix-segment-and-query-string-in-codeigniter/
I prefer this over others as it will have no application-wide effects like some other approaches and it won't require any crazy hacking to get it working.
If you want this $_GET support throughout the entire app, just put the parse_str into MY_Controller or a pre_controller hook.