+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: Development (https://forum.codeigniter.com/forumdisplay.php?fid=6)
+--- Forum: Issues (https://forum.codeigniter.com/forumdisplay.php?fid=19)
+--- Thread: [Important] Bypass email validation (/showthread.php?tid=72231)
[Important] Bypass email validation - peter - 11-25-2018
Hello,
If i simply use this code to check an email in CI :
PHP Code:
$this->form_validation->set_rules('email', 'email', 'trim|required|valid_email');
I just to need to send a form with this input :
Code:
"><svg/onload=confirm(1)>"@x.yand I can bypass email validation....
The solution is to fix valid_email from Form_validation.php and add :
PHP Code:
$email = filter_var($email, FILTER_SANITIZE_EMAIL);
You should fix it in CI 3.2 !
RE: [Important] Bypass email validation - jreklund - 11-25-2018
It's correctly validating it according to RFC 822. It dosen't care about XSS, due to the fact that's an valid email address.
https://en.wikipedia.org/wiki/Email_address#Local-part
Also, ALL security concerns should be sent to:
[email protected]