CodeIgniter Forums
Security in post/get - Printable Version

+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: Archived Discussions (https://forum.codeigniter.com/forum-20.html)
+--- Forum: Archived General Discussion (https://forum.codeigniter.com/forum-21.html)
+--- Thread: Security in post/get (/thread-18582.html)



Security in post/get - El Forum - 05-11-2009

[eluser]ClaudioX[/eluser]
Hi all,

I'm using $this->input->post("field", TRUE), to protect the system, but, I think the function does not do everything that I thought would.

I'm doing one seach page, the user write the word in one input, after the sumit, i do one echo in the value of the input, as a test, I wrote "script alert("hello") /script", and the alert work on...

there is something in the framework that implements the slashs, trim, htmlentities? if not, what security do you advise me?

And really thanks to David Pennington, for this video about security. Thanks man!


Security in post/get - El Forum - 05-11-2009

[eluser]Thorpe Obazee[/eluser]
Do you mean you tested writing:
Code:
script alert(“hello”) /script

or

Code:
<script> alert(“hello”) </script>

?

EDIT: I actually tried it and it didn't work as the xss filter would replace the word '<script>' and '</script>' with '[removed]'