From 56d1a70e8149529058e442f4876e90ff963c533a Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Mon, 20 Feb 2017 11:35:24 +0200 Subject: [ci skip] Add a note on xss_clean() and HTML attributes --- user_guide_src/source/libraries/security.rst | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) (limited to 'user_guide_src/source/libraries/security.rst') diff --git a/user_guide_src/source/libraries/security.rst b/user_guide_src/source/libraries/security.rst index f7604ef00..fc5cba19d 100644 --- a/user_guide_src/source/libraries/security.rst +++ b/user_guide_src/source/libraries/security.rst @@ -40,6 +40,9 @@ browser may attempt to execute. // file failed the XSS test } +.. important:: If you want to filter HTML attribute values, use + :php:func:`html_escape()` instead! + ********************************* Cross-site request forgery (CSRF) ********************************* @@ -101,7 +104,11 @@ Class Reference :rtype: mixed Tries to remove XSS exploits from the input data and returns the cleaned string. - If the optional second parameter is set to true, it will return boolean TRUE if the image is safe to use and FALSE if malicious data was detected in it. + If the optional second parameter is set to true, it will return boolean TRUE if + the image is safe to use and FALSE if malicious data was detected in it. + + .. important:: This method is not suitable for filtering HTML attribute vales! + Use :php:func:`html_escape()` for that instead. .. php:method:: sanitize_filename($str[, $relative_path = FALSE]) @@ -162,4 +169,4 @@ Class Reference Used for generating CSRF and XSS tokens. .. note:: The output is NOT guaranteed to be cryptographically secure, - just the best attempt at that. \ No newline at end of file + just the best attempt at that. -- cgit v1.2.3-24-g4f1b From 763b7703ee744b65878bbf721fce3e5ec4dfac82 Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Mon, 26 Jun 2017 10:26:33 +0300 Subject: [ci skip] Merge pull request #5162 from hex-ci/patch-3 Fix a spelling typo in security docs --- user_guide_src/source/libraries/security.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'user_guide_src/source/libraries/security.rst') diff --git a/user_guide_src/source/libraries/security.rst b/user_guide_src/source/libraries/security.rst index fc5cba19d..868112684 100644 --- a/user_guide_src/source/libraries/security.rst +++ b/user_guide_src/source/libraries/security.rst @@ -107,7 +107,7 @@ Class Reference If the optional second parameter is set to true, it will return boolean TRUE if the image is safe to use and FALSE if malicious data was detected in it. - .. important:: This method is not suitable for filtering HTML attribute vales! + .. important:: This method is not suitable for filtering HTML attribute values! Use :php:func:`html_escape()` for that instead. .. php:method:: sanitize_filename($str[, $relative_path = FALSE]) -- cgit v1.2.3-24-g4f1b