Welcome Guest, Not a member yet? Register   Sign In
$this->input->post() not escaping JS
#1

Why this $this->input->post() not escaping JS scripts?

Example what will happen if someone type in textarea <script>alert('test');</script>?
Will be added in the database as it is and the script will be executed where this textarea will be shown.

Any suggestions?

Here is the var_dump from $this->input->post();

PHP Code:
array (size=1)
 
 'message' => string '<script>alert('test');</script>' (length=31
Reply
#2

From a security POV, because a bug in the current XSS filter (or a new XSS attack made possible in the future) would mean that whatever you assumed safe at the time, will be a reflected XSS vulnerability in the future.

Then, even if you leave that concern aside, we shouldn't assume that all input is HTML and/or JavaScript. Just 2 hours ago we received a bug report about non-HTML data being corrupted - the bug itself is invalid because the user had enforced the XSS filter, but is a great example of how that can go wrong.

TL;DR: Validate input, filter output.
Reply
#3

So bottom line, you just need to use htmlentities to escape HTML/JS:
htmlentities($this->input->post('message'));
Reply
#4

No, bottom line is XSS-escape what you print on a page, not what you put in your database.
Reply
#5

(01-27-2016, 05:13 PM)Narf Wrote: No, bottom line is XSS-escape what you print on a page, not what you put in your database.

Right, this is what I meant Smile
Reply
#6

(01-27-2016, 07:35 PM)siburny Wrote:
(01-27-2016, 05:13 PM)Narf Wrote: No, bottom line is XSS-escape what you print on a page, not what you put in your database.

Right, this is what I meant Smile

Yet you said nothing like that ...
Reply




Theme © iAndrew 2016 - Forum software by © MyBB