| XSS attack in Codeigniter 2.1.3 |
[eluser]satej[/eluser]
When I post the following text in an input field, alerts when the page is loaded again. I checked some forum posts and found that this error was fixed in codeigniter version 2.1.2. Can anyone please provide any insight? Code: " onfocus="alert(123);" \Thanks 
[eluser]satie[/eluser]
Sorry for my question: in config/config.php do you enable XSS Filter? Code: $config['global_xss_filtering'] = TRUE;Or are you checked this page? http://ellislab.com/codeigniter/user-gui...urity.html
[eluser]satie[/eluser]
Please, post code of controller that accepts data input and function of model that insert data into db.
[eluser]Pert[/eluser]
I don't think XSS filter does escaping, it only removes suspicious code like script tags. You should run values through <b>htmlentities()</b> function manually. This will also ensure if people are trying to enter double quotes as a valid value in the input field, it will work fine. http://stackoverflow.com/questions/20042...otes-value
[eluser]RaGe10940[/eluser]
The XSS filter in CI is merely just a black list approach at "filtering" input. One should not be using this approach. I would highly suggest to use the native PHP functions (filter_var and what not) to actually Filter input. As well as you should ALWAYS use HTMLSPECIALCHARS with utf-8 and ENT_QUOTE as the options. Just my two cents.
|
| Welcome Guest, Not a member yet? Register Sign In |
MENU
EXTRA MENU
ABOUT US
CodeIgniter is a powerful PHP framework with a very small footprint, built for developers who need a simple and elegant toolkit to create full-featured web applications.
