First, sorry if this isn't the right place and way to ask.
I'm developing a new module and have 2 questions about security.
1 - My module has a Config page where only admin (or another user with same rights) has access. Like /admin/config/system/site-information.
In this config, I have some fields that will be showed later in HTML output.
Question: Do I must filter this content against XML injection (filter_xss or filter_xss_admin)? or I can trust this user?
2 - To generate the html output, I have a field with Token. This field itself is already checked against injection, but the content of token (may be the body, title, or any other field fulfilled by user) must be checked too, or I can trust this field are already filtered by system?
Thanks in advance for any directions about it.
Edvaldo
Comments
Do the fields need to have
'restrict access' => TRUE
and you don't need to filter them. If they don't need javascript/iframes etc. then it is appropriate to use filter_xss or filter_xss_admin.knaddison blog | Morris Animal Foundation