XSS bug and fixation - Printable Version +- CodeIgniter Forums (https://forum.codeigniter.com) +-- Forum: Development (https://forum.codeigniter.com/forumdisplay.php?fid=6) +--- Forum: Issues (https://forum.codeigniter.com/forumdisplay.php?fid=19) +--- Thread: XSS bug and fixation (/showthread.php?tid=62873) |
XSS bug and fixation - 10w0lf - 09-03-2015 Hello, while testing my application with CI 3, i found a bug in XSS clean. this bug is the quotation mark " does not transform to HTML entities. for example: when you want to input something with quotation mark in text field and send it. no problem look at the image but, what if the user input > (greater than) and some text, then the result becomes like that: look at the image Fixation i think we should add a line in system/core/Security.php at $_never_allowed_str array, like that: look at the image RE: XSS bug and fixation - Narf - 09-04-2015 That's not an XSS vulnerability, it doesn't result in code being executed by the client or anything really harmful. Also, if you think that you've found a security issue, it's really bad to put it like this in a public forum board; we've got a security@ email for such reports. RE: XSS bug and fixation - 10w0lf - 09-04-2015 this bug working on many websites RE: XSS bug and fixation - Diederik - 09-04-2015 XSS clean is a method for sanitizing output data to the browser. You should not rely on this feature for validating user input. You should use form validation for validating user input. http://www.codeigniter.com/user_guide/general/security.html#xss-filtering http://forum.codeigniter.com/thread-62298-post-320238.html RE: XSS bug and fixation - kenjis - 09-04-2015 (09-04-2015, 10:27 AM)10w0lf Wrote: this bug working on many websites If so, it is simply that developers of the sites forgot to escape HTML output. In HTML you must write `"e;` if you want to show `"`. RE: XSS bug and fixation - Narf - 09-07-2015 (09-04-2015, 10:27 AM)10w0lf Wrote: this bug working on many websites this bug == not a bug Simple as that. |