CodeIgniter Forums

Full Version: over-sanitizing ("% 10" disappears from $_POST)
You're currently viewing a stripped down version of our content. View the full version with proper formatting.

El Forum

[eluser]Unknown[/eluser]
I sent string "% 10" via POST form, but it disappears from $_POST so I couldn't send string like "number % 10".

<b>Edited: 「% 10」string disappears from this post, so I added a space after "%" Tongue</b>

I added an attribute to remove_invisible_characters function call in /system/core/Input.php:528 and fixed this problem.

Code:
// Trunk
$str = remove_invisible_characters($str);

Code:
// Fixed
$str = remove_invisible_characters($str, FALSE);

Is it over-sanitizing or not?

FYC, I attached definition of function remove_invisible_characters in /system/core/Common.php.

Code:
function remove_invisible_characters($str, $url_encoded = TRUE)
{
  $non_displayables = array();
  
  // every control character except newline (dec 10)
  // carriage return (dec 13), and horizontal tab (dec 09)
  
  if ($url_encoded)
  {
   $non_displayables[] = '/%0[0-8bcef]/'; // url encoded 00-08, 11, 12, 14, 15
   $non_displayables[] = '/%1[0-9a-f]/'; // url encoded 16-31
  }
                ...

El Forum

[eluser]Unknown[/eluser]
Sorry, I found that Pull-Request about this problem has already posted to github.

https://github.com/EllisLab/CodeIgniter/pull/1229