From 9187ed3516ba403d09fc88ebcf6ead7364f75c4d Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Sat, 28 Feb 2015 19:54:17 +0200 Subject: [ci skip] Formally deprecate 'global_xss_filtering' --- user_guide_src/source/changelog.rst | 1 + user_guide_src/source/installation/upgrade_300.rst | 16 ++++++++++++++++ user_guide_src/source/libraries/input.rst | 4 ++++ 3 files changed, 21 insertions(+) (limited to 'user_guide_src') diff --git a/user_guide_src/source/changelog.rst b/user_guide_src/source/changelog.rst index 42eed8034..ef3d2af39 100644 --- a/user_guide_src/source/changelog.rst +++ b/user_guide_src/source/changelog.rst @@ -480,6 +480,7 @@ Release Date: Not Released - :doc:`Input Library ` changes include: + - Deprecated the ``$config['global_xss_filtering']`` setting. - Added ``method()`` to retrieve ``$_SERVER['REQUEST_METHOD']``. - Added support for arrays and network addresses (e.g. 192.168.1.1/24) for use with the *proxy_ips* setting. - Added method ``input_stream()`` to aid in using **php://input** stream data such as one passed via PUT, DELETE and PATCH requests. diff --git a/user_guide_src/source/installation/upgrade_300.rst b/user_guide_src/source/installation/upgrade_300.rst index 90d56c25c..2f806cccf 100644 --- a/user_guide_src/source/installation/upgrade_300.rst +++ b/user_guide_src/source/installation/upgrade_300.rst @@ -551,6 +551,22 @@ PHP's native ``hash()`` function. It is deprecated and scheduled for removal in .. note:: This function is still available, but you're strongly encouraged to remove its usage sooner rather than later. +The $config['global_xss_filtering'] setting +=========================================== + +As already explained above, XSS filtering should not be done on input data, +but on output instead. Therefore, the ``$config['global_xss_filtering']``, +which automatically filters *input* data, is considered a bad practice and +is now deprecated. + +Instead, you should manually escape any user-provided data via the +:php:func:`xss_clean()` function when you need to output it, or use a +library like `HTML Purifier `_ that does that +for you. + +.. note:: The setting is still available, but you're strongly encouraged to + remove its usage sooner rather than later. + File helper read_file() ======================= diff --git a/user_guide_src/source/libraries/input.rst b/user_guide_src/source/libraries/input.rst index 274e49af4..d9c6c2dd1 100644 --- a/user_guide_src/source/libraries/input.rst +++ b/user_guide_src/source/libraries/input.rst @@ -53,6 +53,10 @@ this:: Please refer to the :doc:`Security class ` documentation for information on using XSS Filtering in your application. +.. important:: The 'global_xss_filtering' setting is DEPRECATED and kept + solely for backwards-compatibility purposes. XSS escaping should + be performed on *output*, not *input*! + ******************* Accessing form data ******************* -- cgit v1.2.3-24-g4f1b