• 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
XSS bug and fixation

#1
Bug 
Hello,
while testing my application with CI 3, i found a bug in XSS clean.

this bug is the quotation mark " does not transform to HTML entities.

for example: when you want to input something with quotation mark in text field and send it.

no problem

look at the image

[Image: 209q7ts.png]

but, what if the user input > (greater than) and some text, then the result becomes like that:

look at the image

[Image: 28v4pcj.png]

Fixation

i think we should add a line in system/core/Security.php at $_never_allowed_str array, like that:

look at the image

[Image: 33xedjo.png]
Reply

#2
That's not an XSS vulnerability, it doesn't result in code being executed by the client or anything really harmful.

Also, if you think that you've found a security issue, it's really bad to put it like this in a public forum board; we've got a [email protected] email for such reports.
Reply

#3
this bug working on many websites
Reply

#4
XSS clean is a method for sanitizing output data to the browser. You should not rely on this feature for validating user input. You should use form validation for validating user input.

http://www.codeigniter.com/user_guide/ge...-filtering
http://forum.codeigniter.com/thread-6229...20238.html
Reply

#5
(09-04-2015, 10:27 AM)10w0lf Wrote: this bug working on many websites

If so, it is simply that developers of the sites forgot to escape HTML output.

In HTML you must write `&quote;` if you want to show `"`.
Do you want to write tests for your apps? Our book, CodeIgniter Testing Guide would help you.
Reply

#6
(09-04-2015, 10:27 AM)10w0lf Wrote: this bug working on many websites

this bug == not a bug

Simple as that.
Reply


Digg   Delicious   Reddit   Facebook   Twitter   StumbleUpon  


  Theme © 2014 iAndrew  
Powered By MyBB, © 2002-2020 MyBB Group.