As CodeIgniter3's documentation says ,
A largely unknown rule about XSS cleaning is that it should only be applied to output, as opposed to input data.
Should I always use xss_clean() before outputting user's data? Or set_value does that for me?
Yes, set_value()
does apply XSS-sanitizing by default.
However, be careful when using it together with other form helper functions, because they do that as well, and you don't want double-escaping. As explained in the manual , you can turn escaping off by passing (boolean) FALSE as the third parameter for set_value()
.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.