summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAndrey Andreev <narf@devilix.net>2017-02-20 10:35:24 +0100
committerAndrey Andreev <narf@devilix.net>2017-02-20 10:35:24 +0100
commit56d1a70e8149529058e442f4876e90ff963c533a (patch)
treea518749a48d99da6f48af7d2a9a09d3890702d55
parent17e2fa90070d2b0521e7ec14116b5dff71958c1a (diff)
[ci skip] Add a note on xss_clean() and HTML attributes
-rw-r--r--user_guide_src/source/libraries/security.rst11
1 files changed, 9 insertions, 2 deletions
diff --git a/user_guide_src/source/libraries/security.rst b/user_guide_src/source/libraries/security.rst
index f7604ef00..fc5cba19d 100644
--- a/user_guide_src/source/libraries/security.rst
+++ b/user_guide_src/source/libraries/security.rst
@@ -40,6 +40,9 @@ browser may attempt to execute.
// file failed the XSS test
}
+.. important:: If you want to filter HTML attribute values, use
+ :php:func:`html_escape()` instead!
+
*********************************
Cross-site request forgery (CSRF)
*********************************
@@ -101,7 +104,11 @@ Class Reference
:rtype: mixed
Tries to remove XSS exploits from the input data and returns the cleaned string.
- If the optional second parameter is set to true, it will return boolean TRUE if the image is safe to use and FALSE if malicious data was detected in it.
+ If the optional second parameter is set to true, it will return boolean TRUE if
+ the image is safe to use and FALSE if malicious data was detected in it.
+
+ .. important:: This method is not suitable for filtering HTML attribute vales!
+ Use :php:func:`html_escape()` for that instead.
.. php:method:: sanitize_filename($str[, $relative_path = FALSE])
@@ -162,4 +169,4 @@ Class Reference
Used for generating CSRF and XSS tokens.
.. note:: The output is NOT guaranteed to be cryptographically secure,
- just the best attempt at that. \ No newline at end of file
+ just the best attempt at that.