$this->input->post() not escaping JS |
Why this $this->input->post() not escaping JS scripts?
Example what will happen if someone type in textarea <script>alert('test');</script>? Will be added in the database as it is and the script will be executed where this textarea will be shown. Any suggestions? Here is the var_dump from $this->input->post(); PHP Code: array (size=1)
From a security POV, because a bug in the current XSS filter (or a new XSS attack made possible in the future) would mean that whatever you assumed safe at the time, will be a reflected XSS vulnerability in the future.
Then, even if you leave that concern aside, we shouldn't assume that all input is HTML and/or JavaScript. Just 2 hours ago we received a bug report about non-HTML data being corrupted - the bug itself is invalid because the user had enforced the XSS filter, but is a great example of how that can go wrong. TL;DR: Validate input, filter output.
So bottom line, you just need to use htmlentities to escape HTML/JS:
htmlentities($this->input->post('message'));
No, bottom line is XSS-escape what you print on a page, not what you put in your database.
|
Welcome Guest, Not a member yet? Register Sign In |