XSS bug and fixation |
Hello,
while testing my application with CI 3, i found a bug in XSS clean. this bug is the quotation mark " does not transform to HTML entities. for example: when you want to input something with quotation mark in text field and send it. no problem look at the image but, what if the user input > (greater than) and some text, then the result becomes like that: look at the image Fixation i think we should add a line in system/core/Security.php at $_never_allowed_str array, like that: look at the image
That's not an XSS vulnerability, it doesn't result in code being executed by the client or anything really harmful.
Also, if you think that you've found a security issue, it's really bad to put it like this in a public forum board; we've got a security@ email for such reports.
XSS clean is a method for sanitizing output data to the browser. You should not rely on this feature for validating user input. You should use form validation for validating user input.
http://www.codeigniter.com/user_guide/ge...-filtering http://forum.codeigniter.com/thread-6229...20238.html |
Welcome Guest, Not a member yet? Register Sign In |