Welcome Guest, Not a member yet? Register   Sign In
XSS replaces in the documentation
#9

(02-02-2018, 11:57 AM)Elias Wrote: Hello!

I see that in the documentation (for example https://www.codeigniter.com/user_guide/h...elper.html ) some http:// are replaced to http & # 5 8 ; // (without spaces)

Is it normal? Thanks)

That's not an "XSS replace" ... The manual doesn't concern itself with XSS, because it doesn't need to.

We use Sphinx to generate the manual from sources; recently updated it, and apparently the older version used to render HTML entities, so they were written like that in our sources, to avoid the string 'http://' being auto-converted to an anchor tag.

Fixed the ones I've found: https://github.com/bcit-ci/CodeIgniter/c...c3081db7c0

(02-10-2018, 12:46 PM)Elias Wrote: And as it seems to me, I found a bug in xss_clean() function/method:
xss_clean() translates

Code:
<video poster="http://vseprosto.top/wp-content/uploads/2016/10/CodeIgniter-Development.jpg" controls><source src="/mov_bbb.ogg"></video>

to

Code:
&lt;video poster="http://vseprosto.top/wp-content/uploads/2016/10/CodeIgniter-Development.jpg" controls&gt;<source src="/mov_bbb.ogg">&lt;/video&gt;

Also works for <audio> tag.

Not a bug.

(02-11-2018, 10:46 AM)wishmaster Wrote: Because regexp is bad idea for filtering. Use Zend escaper and/or HTMLpurifier

That regexp argument is a red herring.

It's true that regular expressions probably aren't the best tool for the job, but that's not at all what the flaw in xss_clean() is. The problem is that it is blind to context.
Reply


Messages In This Thread
XSS replaces in the documentation - by Elias - 02-02-2018, 11:57 AM
RE: XSS replaces in the documentation - by Elias - 02-10-2018, 12:46 PM
RE: XSS replaces in the documentation - by falko - 02-10-2018, 11:23 PM
RE: XSS replaces in the documentation - by PaulD - 02-11-2018, 04:08 AM
RE: XSS replaces in the documentation - by Elias - 02-11-2018, 09:57 AM
RE: XSS replaces in the documentation - by PaulD - 02-11-2018, 11:15 AM
RE: XSS replaces in the documentation - by Narf - 02-12-2018, 06:24 AM
RE: XSS replaces in the documentation - by Elias - 02-12-2018, 07:21 AM
RE: XSS replaces in the documentation - by Narf - 02-14-2018, 11:28 AM
RE: XSS replaces in the documentation - by Elias - 02-15-2018, 08:01 AM
RE: XSS replaces in the documentation - by Narf - 02-22-2018, 01:31 AM



Theme © iAndrew 2016 - Forum software by © MyBB