I'm trying to figure out exactly what the best way of sanitising data returned from a Model_Crud lookup.
As it currently stands, POSTed data is stored directly in the database unfiltered (as per framework default) and then retrieved later ready to be passed to the view to be iterated over using the Model_Crud functionality.
However, passing an array of Model_Crud(s) to a view unfortunately means that the data in the Model could still potentially contain malicious code. The only way I've managed to fix this issue so far is to run Security::xss_clean() in the view as I iterate over the array of Model_Cruds.
//Data is still dangerous unless It goes through xss_clean() or htmlentities!>
<?endforeach;?>
I'm wondering what the best approach is to make sure that a Model_Crud object is fully sanitised when outputting its contents are being output to a view.
I can't really rely on the __toString() method as I need to use singular, specific data(fields) from the Model in different views.
BTW - How do you format code in these forums? I can't see an option in the toolbar.
All data passed to a view is encoded by default, which will make malicious code harmless. Model_Crud objects are not whitelisted, so I don't see why they shouldn't be encoded.
It turns out that there was a form 'prettifying' script that was decoding entities and thus made it seem as if the framework was acting up. It wasn't. Everything's working fine, my mistake :)