XSS replaces in the documentation - Printable Version +- CodeIgniter Forums (https://forum.codeigniter.com) +-- Forum: Development (https://forum.codeigniter.com/forumdisplay.php?fid=6) +--- Forum: Issues (https://forum.codeigniter.com/forumdisplay.php?fid=19) +--- Thread: XSS replaces in the documentation (/showthread.php?tid=69962) Pages:
1
2
|
RE: XSS replaces in the documentation - Narf - 02-14-2018 (02-12-2018, 07:21 AM)Elias Wrote:(02-12-2018, 06:24 AM)Narf Wrote: Not a bug. Anything that has an 'src' attribute can link external resources and trigger their execution, and thus - XSS. Bold doesn't have the 'src' attribute and cannot do anything potentially dangerous. Anchor doesn't have the 'src' attribute, but can be altered or replaced in certain cases. I don't know what you mean by a "normal input string" ... there's no such thing. The function is made to strip or defuse potentially dangerous tags and attributes, and that's what it does. RE: XSS replaces in the documentation - Elias - 02-15-2018 (02-14-2018, 11:28 AM)Narf Wrote: Anything that has an 'src' attribute can link external resources and trigger their execution, and thus - XSS. Ok, string Code: <video src="https://www.w3schools.com/html/mov_bbb.mp4"></video> Is this the right behavior? P.S: I'm not saying how you should make the framework, I just try to understand what I'm doing wrong. RE: XSS replaces in the documentation - Narf - 02-22-2018 (02-15-2018, 08:01 AM)Elias Wrote: Yes, that's what this means: (02-14-2018, 11:28 AM)Narf Wrote: Anything that has an 'src' attribute can link external resources and trigger their execution, and thus - XSS. |