diff options
author | Andrey Andreev <narf@devilix.net> | 2017-02-20 10:35:24 +0100 |
---|---|---|
committer | Andrey Andreev <narf@devilix.net> | 2017-02-20 10:35:24 +0100 |
commit | 56d1a70e8149529058e442f4876e90ff963c533a (patch) | |
tree | a518749a48d99da6f48af7d2a9a09d3890702d55 /user_guide_src/source | |
parent | 17e2fa90070d2b0521e7ec14116b5dff71958c1a (diff) |
[ci skip] Add a note on xss_clean() and HTML attributes
Diffstat (limited to 'user_guide_src/source')
-rw-r--r-- | user_guide_src/source/libraries/security.rst | 11 |
1 files changed, 9 insertions, 2 deletions
diff --git a/user_guide_src/source/libraries/security.rst b/user_guide_src/source/libraries/security.rst index f7604ef00..fc5cba19d 100644 --- a/user_guide_src/source/libraries/security.rst +++ b/user_guide_src/source/libraries/security.rst @@ -40,6 +40,9 @@ browser may attempt to execute. // file failed the XSS test } +.. important:: If you want to filter HTML attribute values, use + :php:func:`html_escape()` instead! + ********************************* Cross-site request forgery (CSRF) ********************************* @@ -101,7 +104,11 @@ Class Reference :rtype: mixed Tries to remove XSS exploits from the input data and returns the cleaned string. - If the optional second parameter is set to true, it will return boolean TRUE if the image is safe to use and FALSE if malicious data was detected in it. + If the optional second parameter is set to true, it will return boolean TRUE if + the image is safe to use and FALSE if malicious data was detected in it. + + .. important:: This method is not suitable for filtering HTML attribute vales! + Use :php:func:`html_escape()` for that instead. .. php:method:: sanitize_filename($str[, $relative_path = FALSE]) @@ -162,4 +169,4 @@ Class Reference Used for generating CSRF and XSS tokens. .. note:: The output is NOT guaranteed to be cryptographically secure, - just the best attempt at that.
\ No newline at end of file + just the best attempt at that. |