+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: Development (https://forum.codeigniter.com/forumdisplay.php?fid=6)
+--- Forum: Issues (https://forum.codeigniter.com/forumdisplay.php?fid=19)
+--- Thread: XSS replaces in the documentation (/showthread.php?tid=69962)
Pages:
1
2
RE: XSS replaces in the documentation - Narf - 02-14-2018
(02-12-2018, 07:21 AM)Elias Wrote:(02-12-2018, 06:24 AM)Narf Wrote: Not a bug.
Why? Tags like <b> or <a> not replaces... What's a normal input string for xss_clean() ?
Thanks for answers
Anything that has an 'src' attribute can link external resources and trigger their execution, and thus - XSS.
Bold doesn't have the 'src' attribute and cannot do anything potentially dangerous.
Anchor doesn't have the 'src' attribute, but can be altered or replaced in certain cases.
I don't know what you mean by a "normal input string" ... there's no such thing. The function is made to strip or defuse potentially dangerous tags and attributes, and that's what it does.
RE: XSS replaces in the documentation - Elias - 02-15-2018
(02-14-2018, 11:28 AM)Narf Wrote: Anything that has an 'src' attribute can link external resources and trigger their execution, and thus - XSS.
Ok, string
Code:
<video src="https://www.w3schools.com/html/mov_bbb.mp4"></video>Is this the right behavior?
P.S: I'm not saying how you should make the framework, I just try to understand what I'm doing wrong.
RE: XSS replaces in the documentation - Narf - 02-22-2018
(02-15-2018, 08:01 AM)Elias Wrote:has src and xss_clean() replaces HTML characters.Code:<video src="https://www.w3schools.com/html/mov_bbb.mp4"></video>
Is this the right behavior?
Yes, that's what this means:
(02-14-2018, 11:28 AM)Narf Wrote: Anything that has an 'src' attribute can link external resources and trigger their execution, and thus - XSS.