ThingEngineer
Protection during OUTPUT against stored XSS
Hi,
I am aware that this library sanitizes input for the most part, but I can't find an easy way to centralize sanitizing the output to prevent "stored XSS".
"Stored Cross-Site Scripting" is what happens when someone manages to bypass sanitization (or writes directly to the database, or takes advantage of rawqueries) and stores in data (for example, a comment) javascripts that will later be interpreted by the browser.
I was looking for a parameter when selecting data that applies an XSS function (htmlspecialchars would do, but I can imagine passing a parser function to some fields may be useful for other things) but I can't find it.
Is there some function or parameter that allows me to specify a parsing function for content (or all query results, if there's no chance of ever handling html or javascript on the content)?
