Love Fuel?    Donate

FuelPHP Forums

Ask your question about FuelPHP in the appropriate forum, or help others by answering their questions.
Escaping of HTML characters
  • I have routines I call from a model to generate data.
    And I have routines I call from a view to display the data.

    My display code automatically escapes html chars for display,
    unless I set a flag on a specific database field/column which
    causes it to not escape the chars.

    I use this flag when my query generates a html hyper link or
    when the column has conditional color:


    For example the expiration date column:

    If it's a future date:
    expires
    else
    '<font color=red>' || expires || '</font>'


    So my automatic escaping can be turned off explicitly when
    needed and only when needed.

    I've search for a few minutes and I can't find the configuration
    switch to turn off the global escaping which is getting in my way.

    Help!

    I was surprised that my model's data wasn't being cleanly passed
    to the view without being messed with. Is there a discussion of
    what is being done to that data and the security implications?

    thanks
  • Fuel doesn't strip on input, it encodes on output.

    We find that the behaviour of other frameworks that do strip or filter on input do it wrong, in that you loose input data, you have to do complicated things when you don't want to strip or filter (for example when you post HTML), it is very difficult to make completely secure, and once something insecure sneaks past the filter, your app is hacked.

    In Fuel, all data is accepted and stored as posted (you should validate!), and encoded when displayed so that no matter where your data came from, and how it was treated, an insecure string will not compromise your app.

    You can disable ALL output encoding by setting security.auto_filter_output to false in your config.php config fle.

    You can disable output encoding on specific classes by whitelisting them in the security.whitelisted_classes array.

    And your classes can implement the Sanitization interface, which allows you to customize the way variables in your objects are escaped. Model_Crud and ORM models implement this interface.
  • Thank you very much. That helped my find what I needed:

    'auto_filter_output'  => false,


    This allows my model and view calls to be the one which is
    "Aware" of the fact that the generated output is being inserted
    into html instead of Fuel automagically taking care of it.
  • Just make sure you manually encode everything your views output, to avoid security holes!

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

In this Discussion