Fuel offers the following:
- configurable input filters (by default none)
- htmlawed is included for XSS filtering and accessible through Security::xss_clean(), also usable as input filter (though not recommended due to performance hit it causes)
- output encoding is enabled by default by using htmlentities on anything send to the view unless you expressly permit it
Here's a link to the config settings in the main config file of your app: https://github.com/fuel/fuel/blob/master/fuel/app/config/config.php#L76
EDIT:
Dan wrote a blogpost about this, though it was written before we started using output encoding by default instead of input filtering.
Donate
