Trying to tune up security both for an API and a frontend and I found the menacing "warning:" note regarding xss_clean input filtering. I was wondering, are there any good rules of thumb for using xss_clean? For instance, for the time being our API will remain private, but will potentially someday be opened up. Would you recommend input filtering in either of these situations? Or what about for our more standard front-end website?
Don't know what note you mean, but I assume the potential performance impact?
We include htmlawed, which is one of the fastest available, but still, if you clean a lot, you will notice the impact.
The big question is: is it really needed.
You should perform input validation at all times, no matter where the input comes from. Proper validation would already catch most cases. On output, Fuel encodes all data, so if there is anything in the data that might be harmful, encoding will render it harmless.
In an API there is obviously no output encoding, that should be done by the application processing the API return data.
In all, there are not a lot of cases where you would need xss_clean...
Donate
