Is the only way is to use Security::xss_clean function? Is there way to make FuelPhp deal alone or automatically with strings like "gwagwaagwghg1515511"?
Unlike many (if not all) other frameworks, FuelPHP doesn't strip on input, it encodes on output. The main reasoning behind this is that all stripping makes you lose input data.
Just create a view that contains:
<h1><?php echo $value; ?></h1>
And a controller that contains
public function action_index() { return View::forge('yourview')->set('value', '<script>alert("this will not popup");</script>'); }
and you will see it will not lead to security issues(if it does you have changed the wrong things in the config).
xss_clean is done through Htmlawed, and is a CPU intensive process. Depending on the amount of data posted, it might cause quite a performance hit. This is why the warning is in the config file.
In all the applications we have built for our clients, xss_clean was never genericly used. We only use it in cases where an enduser is allowed to enter HTML that has to be passed to the view unencoded. In this case we use a custom config to strip all HTML (and javascript) that is not allowed.
Donate
