< > " etc etc all show up AS the entity in the textbox - Printable Version +- CodeIgniter Forums (https://forum.codeigniter.com) +-- Forum: Archived Discussions (https://forum.codeigniter.com/forumdisplay.php?fid=20) +--- Forum: Archived Development & Programming (https://forum.codeigniter.com/forumdisplay.php?fid=23) +--- Thread: < > " etc etc all show up AS the entity in the textbox (/showthread.php?tid=15972) |
< > " etc etc all show up AS the entity in the textbox - El Forum - 02-20-2009 [eluser]drewbee[/eluser] Global XSS Filtering = off This has to do with the prep_form function. My forms look to the tee of the following, using set value to get the previous value: Code: <p> set_value runs the form_prep function. If I enter any entities into a textbox, and the form is reloaded, the form displays the actual entity. Example: <-; >-; entered into textbox Error shows so form reloads < > is what the textbox now shows. Why is this? I would expect <-; >-; to show back up again, and is in fact the behavior that normally occurs with standard html_entities() Is this a bug or desired effect? IMO user data should never be modified like this and is in fact the reason I have the global xss filtering off. Thoughts? (ah, this forum does it too...) Edit: That garbled mess above is the AND_LESS_THEN_SEMI_COLON and the AND_GREATER_THEN_SEMI_COLON entities... < > " etc etc all show up AS the entity in the textbox - El Forum - 07-19-2009 [eluser]yalambers[/eluser] I am having problem. I would like to know how to filter < and > these s characters. cosz if anyone inputs <div> in the input. it would break the layout of my site. < > " etc etc all show up AS the entity in the textbox - El Forum - 07-19-2009 [eluser]drewbee[/eluser] I actually extended the helper function form_prep (form_helper.php) with the following and commented out a few lines: Code: function form_prep($str = '') That crap that is in the normal form is way over zealous... and does not mimick standard behavior. I ran this updated function against http://ha.ckers.org/xssAttacks.xml and it caught every instance. |