[eluser]Unknown[/eluser]
Hello all.
This is my first post, and I'm fairly new with the Codeigniter Framework. I'm currently using the latest version (2.0.2).
I've run into a strange response when submitting data from a form using the form_validation class and using its "xss_clean" form prepping function.
From what I can tell xss_clean sanitizes the "naughty" elements. This is straight from system/core/security.php
Code:
* Sanitize naughty HTML elements
*
* If a tag containing any of the words in the list
* below is found, the tag gets converted to entities.
*
* So this: <blink>
* Becomes: <blink>
*/
$naughty = 'alert|applet|audio|basefont|base|behavior|bgsound|blink|body|embed|expression|form|frameset|frame|head|html|ilayer|iframe|input|isindex|layer|link|meta|object|plaintext|style|script|textarea|title|video|xml|xss';
$str = preg_replace_callback('#<(/*\s*)('.$naughty.')([^><]*)([><]*)#is', array($this, '_sanitize_naughty_html'), $str);
This is great. However, if you submit an incomplete HTML Link to a database or <a> tag (a tag) like this
Code:
<a href="url">Link text
You're page is going to be in a world of hurt if you echo out the response from the database later. Everything following the echoed out incomplete <a> tag is apart of the said link. I'm wondering if this is a bug or I'm missing something entirely?
I found I could resolve the problem by adding the a tag to the sanitized naughty HTML elements in the security.php file.
Thanks for any help.
Edit: This actually goes for other open HTML elements like <select>, etc
Edit 2: Easy fix, add strip_tags to form validation rules.