[eluser]Dan Bowling[/eluser]
I've got a login page where users with an amperstand in their password encounter a bug where their password gets a semicolon added to it.
For example:
"test" works fine
"test&" works fine
"test&test;" produces "test&test;"
Any ideas on this? I don't see this as a described behavior in the input or form validation classes.
Here is my offending code. The semicolon is even displayed in the print_r() echo.
Code:
function index()
{
echo '<pre>'.print_r($_POST).'<pre>';
//Set the error delemitors to make things pretty
$this->form_validation->set_error_delimiters('<p><span class="error">', '</span></p>');
//Set up the form validation rules, and associated error messages
$this->form_validation->set_rules('username', 'username', 'required|callback_username_check');
$this->form_validation->set_rules('password', 'password', 'required');
//Run the validation
if ($this->form_validation->run() == FALSE)
{
$data['app_name'] = $this->config->item('app_name');
$this->load->view('authenticate/login_form', $data);
}
else
{
$username = $this->input->post('username', FALSE);
$password = $this->input->post('password', FALSE);
I even encounter the problem with this stripped down version:
Code:
function index()
{
print_r($_POST);
$data['app_name'] = $this->config->item('app_name');
$this->load->view('authenticate/login_form', $data);
}
Firebug says that the post data being sent is good, and doesn't have the semicolon, and the problem is repeatable in IE8.
EDIT:
I eventually solved this myself before anyone responded. The issues is the XSS filter that is applied. So I disabled it on the controller that is affected and set up the other inputs to XSS_Clean manually.
Code:
$config['global_xss'] = ( ! in_array($_SERVER['REQUEST_URI'], array('authenticate'))) ? true : false;