Welcome Guest, Not a member yet? Register   Sign In
Escaping issue with my code and/or database?
#1

[eluser]err403_love[/eluser]
I've just started using CI a few days ago and have already managed to create a fairly robust database driven webapp, at least considering how new I am. Smile

So for my very first CI problem (how exciting!):

Inputting the title "X&Y" into my database results in "X&Y;".

If I type in "X&YY" it does the same, and I get "X&YY;".

So I managed to figure out that if I have no whitespace on either side of the ampersand, it will always add a semicolon to the end of the string. So, "X & Y" would turn out fine.

Also, if I type "X& amp ;Y" (remove the spaces) into my input field, it adds just fine as well.

So I assume CI tries to escape this by automatically ending a string with a semicolon if it contains an ampersand with no whitespace? How do I stop this behavior? Why isn't just converting ampersands to their HTML entities?

I apologize if this isn't even a CodeIgniter problem, and I do admit it's a pretty noobish question to be asking, but any help would be appreciated. Smile

Thank you.

EDIT: I actually had to jump through a hoop just to get this posting right!!! It was automatically adding the semi-colons to my first examples! To fake it I had to type out the HTML entities myself!

EDIT2: Try typing it out for yourself! I just had to edit this post 10 times to get it displaying correctly.

EDIT3: I guess this is now officially a bug report. CI should not be doing this to input.
#2

[eluser]Pascal Kriete[/eluser]
Do you have global xss cleaning turned on or are you otherwise passing your data through that function? It adds the semicolons to make the filtering more robust.
#3

[eluser]err403_love[/eluser]
Oh, I see. I'll have to check.

Robust, indeed. I'll have to weigh the benefits then.. I don't want my content displaying semi-colons for no good reason. (Because, like I said, why doesn't it instead store ampersands as their HTML entities in a database? That's the same as inserting random semi-colons.)

Any control over that specific function? I haven't delved much into the system folder, but I believe I may be able to change it by using a hook, or just by extending the library (if it is a library)?

Or is there some way to bypass it before running my UPDATE query? I think those characters SHOULD be stored as their HTML entities, and like I already said I'm not sure why they aren't..

Thanks for your reply.
#4

[eluser]Pascal Kriete[/eluser]
It really depends on where it runs. Can you try just echoing the data where you would otherwise insert and check if it's already escaped. If it isn't I presume the easiest workaround would be:
Code:
$text = str_replace('&', '&', $text);

If it is already escaped, can you tell us how it's coming in? Also, check your application/config/config.php file for:
Code:
$config['global_xss_filtering'] = TRUE;
#5

[eluser]err403_love[/eluser]
Well, I did turn XSS Filtering on, but I didn't think it would have such odd side effects. I think a str_replace is highly unnecessary as the Database class should be auto-escaping HTML entities to well.. HTML Entities. I mean, when you're inputting an ampersand into an input box, when is it NOT going to be displayed as HTML?

Can I extend the Database class to do this automatically? I'd still prefer to call this a "bug" though.

X&Y;A&B;AA&BB;CCC&DDD;SOMETHING&SOMETHING;

Edit:
I did not type a single semi-colon by myself (see: above ^^), and it also removed the spaces between them. I think this is a pretty big issue..

Why aren't the CodeIgniter devs themselves escaping ampersands then on this board? Smile

----

Edit2: And regarding your example for str_replace, that wouldn't even work. What if the HTML entity (& amp ; - minus spaces) is already being typed in? Then you would get & amp ; amp ; (minus spaces) or something strange

Then I'd have to do a preg_replace for better precision, and that's much more intensive. Then the other option would be to use the PHP function to convert everything to HTML entities, and I still don't want to have to do that for all input before my UPDATE and INSERT queries.




Theme © iAndrew 2016 - Forum software by © MyBB