+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: Archived Discussions (https://forum.codeigniter.com/forumdisplay.php?fid=20)
+--- Forum: Archived General Discussion (https://forum.codeigniter.com/forumdisplay.php?fid=21)
+--- Thread: Input library doesn't escape $_SERVER? (/showthread.php?tid=14254)
Input library doesn't escape $_SERVER? - El Forum - 12-24-2008
[eluser]cfraz[/eluser]
It looks like the Input library doesn't run its _clean_input_data function on $_SERVER like it does with $_POST and $_COOKIE (and $_GET).
I know that Input optionally filters xss content on $_SERVER, but it seems that some of the $_SERVER parameters have vulnerabilities that should be cleaned.
Yes? No?
Input library doesn't escape $_SERVER? - El Forum - 12-25-2008
[eluser]Matthieu Fauveau[/eluser]
Even if it's not documented, CI can filter $_SERVER throught xss_clean if you put the second parameter to TRUE. But I believe you know that if I read you correctly.
It might be a matter of performances that CI do the _clean_input_data only on $_GET, $_POST and $_COOKIE...
Input library doesn't escape $_SERVER? - El Forum - 12-26-2008
[eluser]cfraz[/eluser]
Yea, the user guide documents the xss clean for input->server('param', TRUE). My question was about the escaping input and normalizing all returns to \n that input input-> does for post and cookie and get (but not server) when the second parameter is not set.
Why is it needed for post and cookie and get, but not server?