css" />
3 space at front of input
4 <p>Para</p>
You may have noticed that using the mask JREQUEST_ALLOWHTML, the JavaScript
and CSS is stripped from the data. JavaScript and CSS are removed from the data
because they present a security risk. Attacks that exploit this type of security flaw
are known as XSS (Cross Site Scripting) attacks; this is discussed in more detail later
in the chapter. If we want to retrieve the data in its original form, we must use the
JREQUEST_ALLOWRAW mask.
Escaping and Encoding Data
Escaping is the act of prefixing special characters with an escape character. In PHP
there are two configuration settings, magic_quotes_gpc and magic_quotes_runtime
that, if enabled, will automatically escape data. Joomla! always disables these.
Error Handling and Security
[ 318 ]
Data that we retrieve is never automatically escaped; it is the responsibility of our
extensions to escape data as necessary. Joomla! provides us with some useful ways of
escaping data, namely the JDatabase getEscaped() and Quote() methods and the
static JOutputFilter class.
Pages:
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435