CodeIgniter Forums
Are there any security issues I need to worry about jquery-ui-autocomplete working with get array enabled - Printable Version

+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: Archived Discussions (https://forum.codeigniter.com/forumdisplay.php?fid=20)
+--- Forum: Archived Development & Programming (https://forum.codeigniter.com/forumdisplay.php?fid=23)
+--- Thread: Are there any security issues I need to worry about jquery-ui-autocomplete working with get array enabled (/showthread.php?tid=40303)

Are there any security issues I need to worry about jquery-ui-autocomplete working with get array enabled - El Forum - 04-05-2011

[eluser]edjon2000[/eluser]
Hello all

After several weeks of struggling I have finally managed to get the jquery ui autocomplete widget working and reading data from a mysql database however I have had to enable the get array in ci, do I need to be worried about any security problems.

I am using the following

jquery-1.5.1.js

jquery.ui.core.js
jquery.ui.widget.js
jquery.ui.position.js
jquery.ui.autocomplete.js

I am using jquery ui version 1.8.11
CI 2.0.1 with GET array enabled

Jon

Are there any security issues I need to worry about jquery-ui-autocomplete working with get array enabled - El Forum - 04-05-2011

[eluser]InsiteFX[/eluser]
As with any online software.

NEVER TRUST USER INPUT!

InsiteFX

Are there any security issues I need to worry about jquery-ui-autocomplete working with get array enabled - El Forum - 04-05-2011

[eluser]edjon2000[/eluser]
Hi InsiteFX thanks for the response

I should probably escape the input using
Code:
$keyword = $this->input->get('term');
instead of
Code:
$keyword = $_GET['term'];

I already have CSRF protection enabled, although I did read elsewhere on this forum that some members were having problems with that I also noticed that a lot of the posted code examples had $AJAX{ ... in the js for the view what was that all about?

Jon

Are there any security issues I need to worry about jquery-ui-autocomplete working with get array enabled - El Forum - 04-05-2011

[eluser]InsiteFX[/eluser]
There is a second parameter to $this->input
Code:
$keyword = $this->input->get('term', TRUE);  // TRUE use the XSS filter

InsiteFX

Are there any security issues I need to worry about jquery-ui-autocomplete working with get array enabled - El Forum - 04-05-2011

[eluser]InsiteFX[/eluser]
Quote:I already have CSRF protection enabled, although I did read elsewhere on this forum that some members were having problems with that I also noticed that a lot of the posted code examples had $AJAX{ ... in the js for the view what was that all about?

They are putting the Ajax code in their views, I always put my jQuery code into stand alone files jQuery code does not belong in the view only to load it.

If you use files like I do place your scripts at the bottom of the html file just before the closing </body> tag. But load the jQuery and jQuery UI in the head tags.

InsiteFX

Are there any security issues I need to worry about jquery-ui-autocomplete working with get array enabled - El Forum - 04-05-2011

[eluser]edjon2000[/eluser]
[quote author="InsiteFX" date="1302035865"]There is a second parameter to $this->input
Code:
$keyword = $this->input->get('term', TRUE);  // TRUE use the XSS filter

InsiteFX[/quote]

For now I actually have global XSS filtering enabled and may leave it that way as it doesn't seem to slow the site down much at all (my page load times are below 1 sec after caching so far and actual page execution time is below 0.2 seconds)

[quote author="InsiteFX" date="1302036255"]
Quote:I already have CSRF protection enabled, although I did read elsewhere on this forum that some members were having problems with that I also noticed that a lot of the posted code examples had $AJAX{ ... in the js for the view what was that all about?

They are putting the Ajax code in their views, I always put my jQuery code into stand alone files jQuery code does not belong in the view only to load it.

If you use files like I do place your scripts at the bottom of the html file just before the closing </body> tag. But load the jQuery and jQuery UI in the head tags.

InsiteFX[/quote]

I have most of the code outside the view apart from the following
Code:
[removed]
<!--
    $(function() {
        function log( message ) {
            $( "<div/>" ).text( message ).prependTo( "#log" );
            $( "#log" ).attr( "scrollTop", 0 );
        }

        $( "#town" ).autocomplete({
            source: "&lt;?php echo site_url(); ?&gt;admin/vacancy_admin/location_autocomplete",
            minLength: 2,
            select: function( event, ui ) {
                log( ui.item ?
                    "Selected: " + ui.item.value + ui.item.id :
                    "Nothing selected, input was " + this.value );
            }
        });
    });
//--&gt;
    [removed]

Although I could probably move that as well, I'm not sure, I am still very new with javascript I find it a difficult language to pick up

with the jquery and jquery ui files, I load them dynamically into the header for that page only (it keeps page sizes down) I use a common header and footer throughout the site

Jon