Welcome Guest, Not a member yet? Register   Sign In
XSS bug and fixation
#1
Bug 

Hello,
while testing my application with CI 3, i found a bug in XSS clean.

this bug is the quotation mark " does not transform to HTML entities.

for example: when you want to input something with quotation mark in text field and send it.

no problem

look at the image

[Image: 209q7ts.png]

but, what if the user input > (greater than) and some text, then the result becomes like that:

look at the image

[Image: 28v4pcj.png]

Fixation

i think we should add a line in system/core/Security.php at $_never_allowed_str array, like that:

look at the image

[Image: 33xedjo.png]
Reply
#2

That's not an XSS vulnerability, it doesn't result in code being executed by the client or anything really harmful.

Also, if you think that you've found a security issue, it's really bad to put it like this in a public forum board; we've got a security@ email for such reports.
Reply
#3

this bug working on many websites
Reply
#4

XSS clean is a method for sanitizing output data to the browser. You should not rely on this feature for validating user input. You should use form validation for validating user input.

http://www.codeigniter.com/user_guide/ge...-filtering
http://forum.codeigniter.com/thread-6229...20238.html
Reply
#5

(09-04-2015, 10:27 AM)10w0lf Wrote: this bug working on many websites

If so, it is simply that developers of the sites forgot to escape HTML output.

In HTML you must write `&quote;` if you want to show `"`.
Reply
#6

(09-04-2015, 10:27 AM)10w0lf Wrote: this bug working on many websites

this bug == not a bug

Simple as that.
Reply




Theme © iAndrew 2016 - Forum software by © MyBB