Although not enabled by default, you can configure Fuel to filter all input ($_GET, $_POST
and $_COOKIE
) on every page request. To do so, configure the functions or methods to be used to filter them in the application's config/config.php
file.
/**
* Security settings
*/
'security' => array(
'input_filter' => array(),
)
Anything that is callable in PHP and accepts a single value as parameter can be used for filtering purposes. This includes PHP functions like 'htmlentities
', static class methods like '\\Security::xss_clean
' or even object methods which are defined as array($object
, 'method
'). If you use an object method, make sure the object is available before Fuel is initialized, as input filtering happens very early in the request process.