Welcome Guest, Not a member yet? Register   Sign In
CodeIgniter Forums Development Issues XSS bug and fixation
XSS bug and fixation
  • Offline 10w0lf
    Newbie
  • *
  • Posts: 2
    Threads: 1
    Joined: Sep 2015
    Reputation: 0
#1
Bug  09-03-2015, 06:22 PM

Hello,
while testing my application with CI 3, i found a bug in XSS clean.

this bug is the quotation mark " does not transform to HTML entities.

for example: when you want to input something with quotation mark in text field and send it.

no problem

look at the image

[Image: 209q7ts.png]

but, what if the user input > (greater than) and some text, then the result becomes like that:

look at the image

[Image: 28v4pcj.png]

Fixation

i think we should add a line in system/core/Security.php at $_never_allowed_str array, like that:

look at the image

[Image: 33xedjo.png]
Reply


Messages In This Thread
XSS bug and fixation - by 10w0lf - 09-03-2015, 06:22 PM
RE: XSS bug and fixation - by Narf - 09-04-2015, 01:34 AM
RE: XSS bug and fixation - by 10w0lf - 09-04-2015, 10:27 AM
RE: XSS bug and fixation - by kenjis - 09-04-2015, 03:43 PM
RE: XSS bug and fixation - by Narf - 09-07-2015, 03:05 AM
RE: XSS bug and fixation - by Diederik - 09-04-2015, 12:59 PM



Theme © iAndrew 2016 - Forum software by © MyBB