Remo
commented
9 years ago @okhayat Any reason not to use Loader::helper('text')->sanitize(..)? From what I've read it's not recommended to use urlencode to protect against XSS
Closed okhayat closed 9 years ago
Remo
commented
9 years ago @okhayat Any reason not to use Loader::helper('text')->sanitize(..)? From what I've read it's not recommended to use urlencode to protect against XSS
okhayat
commented
9 years ago Not really. I just thought it would be ok. If it's better, I'll just update the code.
thanks,
Remo
commented
9 years ago not sure myself!
Remo
commented
9 years ago this recommends htmlspecialchars http://stackoverflow.com/a/5037413/5027773
sanitize only calls strip_tags, I don't think that's good enough either!
Remo
commented
9 years ago I think h(..) should be good:
https://github.com/concrete5/concrete5-legacy/pull/1801/files
https://github.com/concrete5/concrete5-legacy/pull/1101/files
okhayat
commented
9 years ago Updated. Thanks for the recommendation. Hope this helps.
Remo
commented
9 years ago thanks
URL Encode value since it's used in URL