libraries:input:xss_clean - does a rawurldecode : this breaks some post data, and is unnecessary

libraries:input:xss_clean - does a rawurldecode : this breaks some post data, and is unnecessary

El Forum
Unregistered

05-26-2010, 07:11 AM

[eluser]Unknown[/eluser]
libraries:input:xss_clean - does a rawurldecode : this breaks some post data, and is unnecessary

I have xss_clean configured on site wide.

I understand that post (input) data is urldecoded to try and prevent url encoded domains being submitted.

However

a - this is pointless as to get around it as a hacker I just need to double url encode my attack string
b - if I have a place holder in a template being submitted called say

Messages In This Thread

libraries:input:xss_clean - does a rawurldecode : this breaks some post data, and is unnecessary - by El Forum - 05-26-2010, 07:11 AM

libraries:input:xss_clean - does a rawurldecode : this breaks some post data, and is unnecessary - by El Forum - 05-26-2010, 09:57 AM

libraries:input:xss_clean - does a rawurldecode : this breaks some post data, and is unnecessary - by El Forum - 05-03-2011, 09:08 PM