Is trim enough for dropdown and checkbox/radiobox when validating form in controller or should I also always use xss_clean?

Question

Is trim enough for dropdown and checkbox/radiobox when validating form or should I also always use xss_clean?

I guess I should but, can somebody explain to me, why exactly? Thanks.

score 1 · Accepted Answer · answered Sep 16 '12 at 08:12

1

It's good practice to always use Codeigniters $this->input->post() and use its xss-clean engine, since its provided in the framework.

Futhermore, even if you have your forms action eg. 'example.com/register' and just trim checkbox values like $subscribe = trim($_POST['subscribe']), i could make another form on my site which also sets action to 'example.com/register' but has 'subscribe' field as input type='text'. From there i could post all kind of nasty things to your site.

answered Sep 16 '12 at 08:12

Tom

3,009
1
18
23

Are you talking about CSRF? I know about it. It makes some problems when using it with AJAX but on a standard form it works. I was primaryly interested this time only in XSS_clean. So, my question, should i use xss_clean on all fields? If yes, maybe it would be better to turn it ON globally in my config file. What do you think? – marion99 Sep 16 '12 at 08:18
in the end it pretty much depends on how you use that data. I wouldn't turn it globally on from config, as there might be a situation where you need data to be 'raw', unhandled. There plenty of discussion about xss_clean [here](http://stackoverflow.com/questions/5337143/codeigniter-why-use-xss-clean) , good reads! – Tom Sep 16 '12 at 08:36

Is trim enough for dropdown and checkbox/radiobox when validating form in controller or should I also always use xss_clean?

1 Answers1