+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: Archived Discussions (https://forum.codeigniter.com/forumdisplay.php?fid=20)
+--- Forum: Archived Development & Programming (https://forum.codeigniter.com/forumdisplay.php?fid=23)
+--- Thread: Multiple xss_clean Bypass (/showthread.php?tid=42563)
Multiple xss_clean Bypass - El Forum - 06-10-2011
[eluser]Unknown[/eluser]
I started to look into codeigniter security, specifically the xss_clean function. Unfortunately this is a great example of the wrong way to do it. xss_clean relies on black list and filter approach which will never work. I was able to bypass this in 3 unique ways in just a few minuets of testing (will not post them for obvious reasons).
I will e-mail them to a member of the development team, but I wanted to post to have this function considered for removal or replaced with something more hardened and depends on a white list like HtmlPurifier.