Cross-Site scripting #3677
Replies: 3 comments
-
I was just doing a little more research but possibly HTML purifier might be a better fit? http://htmlpurifier.org/download I don't know how light weight it is, but I can tell you that xss_clean() is very bulky. 50% of the processor time it takes to import an item CSV file is xss_clean. I know because I benchmarked it and the process was crazy fast when I didn't run xss_clean on it. |
Beta Was this translation helpful? Give feedback.
-
BTW, I started this discussion here rather than creating an issue, because of the nature of discussing whether the code is potentially vulnerable with our current implementation of anti-XSS methods. |
Beta Was this translation helpful? Give feedback.
-
If this is a dropin replacement then perfect. I also think that we can limit the impact of xss by blocking scripts loaded from different domains using content security policy header for example. But indeed as this xss clean was discontinued it would make sense to replace it with something configurable. I'l have a closer look once I'm back in my home office. |
Beta Was this translation helpful? Give feedback.
-
I was just reading up on xss_clean() and it seems like there is a lot of consensus that xss_clean() is not effective. (https://stackoverflow.com/questions/5337143/codeigniter-why-use-xss-clean).
Are we potentially gaining a false sense of security by relying on xss_clean() to do our XSS prevention?
Beta Was this translation helpful? Give feedback.
All reactions