+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: Development (https://forum.codeigniter.com/forumdisplay.php?fid=6)
+--- Forum: Issues (https://forum.codeigniter.com/forumdisplay.php?fid=19)
+--- Thread: XSS bug and fixation (/showthread.php?tid=62873)
XSS bug and fixation - 10w0lf - 09-03-2015
Hello,
while testing my application with CI 3, i found a bug in XSS clean.
this bug is the quotation mark " does not transform to HTML entities.
for example: when you want to input something with quotation mark in text field and send it.
no problem
look at the image
![[Image: 209q7ts.png]](http://i62.tinypic.com/209q7ts.png)
but, what if the user input > (greater than) and some text, then the result becomes like that:
look at the image
![[Image: 28v4pcj.png]](http://i60.tinypic.com/28v4pcj.png)
Fixation
i think we should add a line in system/core/Security.php at $_never_allowed_str array, like that:
look at the image
![[Image: 33xedjo.png]](http://i59.tinypic.com/33xedjo.png)
RE: XSS bug and fixation - Narf - 09-04-2015
That's not an XSS vulnerability, it doesn't result in code being executed by the client or anything really harmful.
Also, if you think that you've found a security issue, it's really bad to put it like this in a public forum board; we've got a security@ email for such reports.
RE: XSS bug and fixation - 10w0lf - 09-04-2015
this bug working on many websites
RE: XSS bug and fixation - Diederik - 09-04-2015
XSS clean is a method for sanitizing output data to the browser. You should not rely on this feature for validating user input. You should use form validation for validating user input.
http://www.codeigniter.com/user_guide/general/security.html#xss-filtering
http://forum.codeigniter.com/thread-62298-post-320238.html
RE: XSS bug and fixation - kenjis - 09-04-2015
(09-04-2015, 10:27 AM)10w0lf Wrote: this bug working on many websites
If so, it is simply that developers of the sites forgot to escape HTML output.
In HTML you must write `"e;` if you want to show `"`.
RE: XSS bug and fixation - Narf - 09-07-2015
(09-04-2015, 10:27 AM)10w0lf Wrote: this bug working on many websites
this bug == not a bug
Simple as that.