CodeIgniter Forums

Full Version: [solved] Form Validation |xss_clean| and incomplete HTML Links (<a> tag, a tag)
You're currently viewing a stripped down version of our content. View the full version with proper formatting.

El Forum

Hello all.

This is my first post, and I'm fairly new with the Codeigniter Framework. I'm currently using the latest version (2.0.2).

I've run into a strange response when submitting data from a form using the form_validation class and using its "xss_clean" form prepping function.

From what I can tell xss_clean sanitizes the "naughty" elements. This is straight from system/core/security.php

* Sanitize naughty HTML elements
         * If a tag containing any of the words in the list
         * below is found, the tag gets converted to entities.
         * So this: &lt;blink&gt;
         * Becomes: &lt;blink&gt;
        $naughty = 'alert|applet|audio|basefont|base|behavior|bgsound|blink|body|embed|expression|form|frameset|frame|head|html|ilayer|iframe|input|isindex|layer|link|meta|object|plaintext|style|script|textarea|title|video|xml|xss';
        $str = preg_replace_callback('#<(/*\s*)('.$naughty.')([^><]*)([><]*)#is', array($this, '_sanitize_naughty_html'), $str);

This is great. However, if you submit an incomplete HTML Link to a database or <a> tag (a tag) like this
<a href="url">Link text
You're page is going to be in a world of hurt if you echo out the response from the database later. Everything following the echoed out incomplete <a> tag is apart of the said link. I'm wondering if this is a bug or I'm missing something entirely?

I found I could resolve the problem by adding the a tag to the sanitized naughty HTML elements in the security.php file.

Thanks for any help.

Edit: This actually goes for other open HTML elements like <select>, etc

Edit 2: Easy fix, add strip_tags to form validation rules.