diff options
author | Andrey Andreev <narf@devilix.net> | 2015-02-28 18:54:17 +0100 |
---|---|---|
committer | Andrey Andreev <narf@devilix.net> | 2015-02-28 18:54:17 +0100 |
commit | 9187ed3516ba403d09fc88ebcf6ead7364f75c4d (patch) | |
tree | 5078d32ca09047e266c86aa80e2acd4070c1b45d /user_guide_src/source/installation/upgrade_300.rst | |
parent | 52caf59f244e0c1363ac0ce6ba61a7f5001603df (diff) |
[ci skip] Formally deprecate 'global_xss_filtering'
Diffstat (limited to 'user_guide_src/source/installation/upgrade_300.rst')
-rw-r--r-- | user_guide_src/source/installation/upgrade_300.rst | 16 |
1 files changed, 16 insertions, 0 deletions
diff --git a/user_guide_src/source/installation/upgrade_300.rst b/user_guide_src/source/installation/upgrade_300.rst index 90d56c25c..2f806cccf 100644 --- a/user_guide_src/source/installation/upgrade_300.rst +++ b/user_guide_src/source/installation/upgrade_300.rst @@ -551,6 +551,22 @@ PHP's native ``hash()`` function. It is deprecated and scheduled for removal in .. note:: This function is still available, but you're strongly encouraged to remove its usage sooner rather than later. +The $config['global_xss_filtering'] setting +=========================================== + +As already explained above, XSS filtering should not be done on input data, +but on output instead. Therefore, the ``$config['global_xss_filtering']``, +which automatically filters *input* data, is considered a bad practice and +is now deprecated. + +Instead, you should manually escape any user-provided data via the +:php:func:`xss_clean()` function when you need to output it, or use a +library like `HTML Purifier <http://htmlpurifier.org/>`_ that does that +for you. + +.. note:: The setting is still available, but you're strongly encouraged to + remove its usage sooner rather than later. + File helper read_file() ======================= |