[Important] Bypass email validation - Printable Version +- CodeIgniter Forums (https://forum.codeigniter.com) +-- Forum: Development (https://forum.codeigniter.com/forumdisplay.php?fid=6) +--- Forum: Issues (https://forum.codeigniter.com/forumdisplay.php?fid=19) +--- Thread: [Important] Bypass email validation (/showthread.php?tid=72231) |
[Important] Bypass email validation - peter - 11-25-2018 Hello, If i simply use this code to check an email in CI : PHP Code: $this->form_validation->set_rules('email', 'email', 'trim|required|valid_email'); I just to need to send a form with this input : Code: "><svg/onload=confirm(1)>"@x.y and I can bypass email validation.... The solution is to fix valid_email from Form_validation.php and add : PHP Code: $email = filter_var($email, FILTER_SANITIZE_EMAIL); You should fix it in CI 3.2 ! RE: [Important] Bypass email validation - jreklund - 11-25-2018 It's correctly validating it according to RFC 822. It dosen't care about XSS, due to the fact that's an valid email address. https://en.wikipedia.org/wiki/Email_address#Local-part Also, ALL security concerns should be sent to: [email protected] |