• 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
XSS replaces in the documentation

#9
(02-02-2018, 11:57 AM)Elias Wrote: Hello!

I see that in the documentation (for example https://www.codeigniter.com/user_guide/h...elper.html ) some http:// are replaced to http & # 5 8 ; // (without spaces)

Is it normal? Thanks)

That's not an "XSS replace" ... The manual doesn't concern itself with XSS, because it doesn't need to.

We use Sphinx to generate the manual from sources; recently updated it, and apparently the older version used to render HTML entities, so they were written like that in our sources, to avoid the string 'http://' being auto-converted to an anchor tag.

Fixed the ones I've found: https://github.com/bcit-ci/CodeIgniter/c...c3081db7c0

(02-10-2018, 12:46 PM)Elias Wrote: And as it seems to me, I found a bug in xss_clean() function/method:
xss_clean() translates

Code:
<video poster="http://vseprosto.top/wp-content/uploads/2016/10/CodeIgniter-Development.jpg" controls><source src="/mov_bbb.ogg"></video>

to

Code:
&lt;video poster="http://vseprosto.top/wp-content/uploads/2016/10/CodeIgniter-Development.jpg" controls&gt;<source src="/mov_bbb.ogg">&lt;/video&gt;

Also works for <audio> tag.

Not a bug.

(02-11-2018, 10:46 AM)wishmaster Wrote: Because regexp is bad idea for filtering. Use Zend escaper and/or HTMLpurifier

That regexp argument is a red herring.

It's true that regular expressions probably aren't the best tool for the job, but that's not at all what the flaw in xss_clean() is. The problem is that it is blind to context.
Reply


Messages In This Thread
XSS replaces in the documentation - by Elias - 02-02-2018, 11:57 AM
RE: XSS replaces in the documentation - by Elias - 02-10-2018, 12:46 PM
RE: XSS replaces in the documentation - by falko - 02-10-2018, 11:23 PM
RE: XSS replaces in the documentation - by PaulD - 02-11-2018, 04:08 AM
RE: XSS replaces in the documentation - by Elias - 02-11-2018, 09:57 AM
RE: XSS replaces in the documentation - by PaulD - 02-11-2018, 11:15 AM
RE: XSS replaces in the documentation - by Narf - 02-12-2018, 06:24 AM
RE: XSS replaces in the documentation - by Elias - 02-12-2018, 07:21 AM
RE: XSS replaces in the documentation - by Narf - 02-14-2018, 11:28 AM
RE: XSS replaces in the documentation - by Elias - 02-15-2018, 08:01 AM
RE: XSS replaces in the documentation - by Narf - 02-22-2018, 01:31 AM

Digg   Delicious   Reddit   Facebook   Twitter   StumbleUpon  


  Theme © 2014 iAndrew  
Powered By MyBB, © 2002-2020 MyBB Group.