+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: Development (https://forum.codeigniter.com/forumdisplay.php?fid=6)
+--- Forum: Issues (https://forum.codeigniter.com/forumdisplay.php?fid=19)
+--- Thread: $this->input->post() not escaping JS (/showthread.php?tid=64184)
$this->input->post() not escaping JS - mstojanov - 01-25-2016
Why this $this->input->post() not escaping JS scripts?
Example what will happen if someone type in textarea <script>alert('test');</script>?
Will be added in the database as it is and the script will be executed where this textarea will be shown.
Any suggestions?
Here is the var_dump from $this->input->post();
PHP Code:
array (size=1)
'message' => string '<script>alert('test');</script>' (length=31)
RE: $this->input->post() not escaping JS - Narf - 01-25-2016
From a security POV, because a bug in the current XSS filter (or a new XSS attack made possible in the future) would mean that whatever you assumed safe at the time, will be a reflected XSS vulnerability in the future.
Then, even if you leave that concern aside, we shouldn't assume that all input is HTML and/or JavaScript. Just 2 hours ago we received a bug report about non-HTML data being corrupted - the bug itself is invalid because the user had enforced the XSS filter, but is a great example of how that can go wrong.
TL;DR: Validate input, filter output.
RE: $this->input->post() not escaping JS - siburny - 01-27-2016
So bottom line, you just need to use htmlentities to escape HTML/JS:
htmlentities($this->input->post('message'));
RE: $this->input->post() not escaping JS - Narf - 01-27-2016
No, bottom line is XSS-escape what you print on a page, not what you put in your database.
RE: $this->input->post() not escaping JS - siburny - 01-27-2016
(01-27-2016, 05:13 PM)Narf Wrote: No, bottom line is XSS-escape what you print on a page, not what you put in your database.
Right, this is what I meant
RE: $this->input->post() not escaping JS - Narf - 01-28-2016
(01-27-2016, 07:35 PM)siburny Wrote:(01-27-2016, 05:13 PM)Narf Wrote: No, bottom line is XSS-escape what you print on a page, not what you put in your database.
Right, this is what I meant
Yet you said nothing like that ...