⚠ In case you've missed it, we have migrated to our new website, with a brand new forum. For more details about the migration you can read our blog post for website migration. This is an archived forum. ⚠
Posted 07 August 2015 - 00:19 AM
Hi!
I wonder how I'm able to prevent xss atacks on grocery crud by filtering the output. I can't use the Codeigniter feature, since it's deprecated and they say you should filter the output data, not the data that will be stored on db.
If I save some post that is for example: '<script>alert("that's not good")</script>', when I'm in the grid, if this column is shown, the script is executed. How can I prevent it?
Again, I can't change the data before saving on db. Thanks!
Posted 08 March 2016 - 16:19 PM
Posted 08 March 2016 - 16:47 PM
Hi,
To prevent XSS in the crud did a function that filters the $post_array. Example:
function xss_clean($post_array, $primary_key = null){
foreach ($post_array as $key => $value) {
$post_array[$key] = $this->security->xss_clean($value);
}
return $post_array;
}
Use:
public function my_table(){
$this->load->database();
$crud = new grocery_CRUD();
$crud->set_theme('flexigrid');
$crud->set_table('my_table');
$crud->set_subject('My Table');
$crud->callback_before_update(array($this,'xss_clean'));
$crud->callback_before_insert(array($this,'xss_clean'));
$output = $crud->render();
$this->_admin_output($output);
}
I hope it helps.
Bye!
Posted 19 March 2017 - 09:42 AM
I have good news. The latest version of grocery CRUD (version 1.5.8) now also includes an xss_clean configuration. For more also check the thread that we did open on github: https://github.com/scoumbourdis/grocery-crud/issues/331#issuecomment-271142570