summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--application/config/config.php3
-rw-r--r--user_guide_src/source/changelog.rst1
-rw-r--r--user_guide_src/source/installation/upgrade_300.rst16
-rw-r--r--user_guide_src/source/libraries/input.rst4
4 files changed, 24 insertions, 0 deletions
diff --git a/application/config/config.php b/application/config/config.php
index 7d5c24c84..7be482b85 100644
--- a/application/config/config.php
+++ b/application/config/config.php
@@ -404,6 +404,9 @@ $config['standardize_newlines'] = FALSE;
| Determines whether the XSS filter is always active when GET, POST or
| COOKIE data is encountered
|
+| WARNING: This feature is DEPRECATED and currently available only
+| for backwards compatibility purposes!
+|
*/
$config['global_xss_filtering'] = FALSE;
diff --git a/user_guide_src/source/changelog.rst b/user_guide_src/source/changelog.rst
index 42eed8034..ef3d2af39 100644
--- a/user_guide_src/source/changelog.rst
+++ b/user_guide_src/source/changelog.rst
@@ -480,6 +480,7 @@ Release Date: Not Released
- :doc:`Input Library <libraries/input>` changes include:
+ - Deprecated the ``$config['global_xss_filtering']`` setting.
- Added ``method()`` to retrieve ``$_SERVER['REQUEST_METHOD']``.
- Added support for arrays and network addresses (e.g. 192.168.1.1/24) for use with the *proxy_ips* setting.
- Added method ``input_stream()`` to aid in using **php://input** stream data such as one passed via PUT, DELETE and PATCH requests.
diff --git a/user_guide_src/source/installation/upgrade_300.rst b/user_guide_src/source/installation/upgrade_300.rst
index 90d56c25c..2f806cccf 100644
--- a/user_guide_src/source/installation/upgrade_300.rst
+++ b/user_guide_src/source/installation/upgrade_300.rst
@@ -551,6 +551,22 @@ PHP's native ``hash()`` function. It is deprecated and scheduled for removal in
.. note:: This function is still available, but you're strongly encouraged to remove its usage sooner
rather than later.
+The $config['global_xss_filtering'] setting
+===========================================
+
+As already explained above, XSS filtering should not be done on input data,
+but on output instead. Therefore, the ``$config['global_xss_filtering']``,
+which automatically filters *input* data, is considered a bad practice and
+is now deprecated.
+
+Instead, you should manually escape any user-provided data via the
+:php:func:`xss_clean()` function when you need to output it, or use a
+library like `HTML Purifier <http://htmlpurifier.org/>`_ that does that
+for you.
+
+.. note:: The setting is still available, but you're strongly encouraged to
+ remove its usage sooner rather than later.
+
File helper read_file()
=======================
diff --git a/user_guide_src/source/libraries/input.rst b/user_guide_src/source/libraries/input.rst
index 274e49af4..d9c6c2dd1 100644
--- a/user_guide_src/source/libraries/input.rst
+++ b/user_guide_src/source/libraries/input.rst
@@ -53,6 +53,10 @@ this::
Please refer to the :doc:`Security class <security>` documentation for
information on using XSS Filtering in your application.
+.. important:: The 'global_xss_filtering' setting is DEPRECATED and kept
+ solely for backwards-compatibility purposes. XSS escaping should
+ be performed on *output*, not *input*!
+
*******************
Accessing form data
*******************