Welcome Guest, Not a member yet? Register   Sign In
XSS attack from Exceptions Lib?
#1

[eluser]Xeoncross[/eluser]
I modified the Exceptions Lib to protect the user from XSS. However, I am not sure if this is necessary. Is the var $page ever composed from URL chars that are not cleaned?

If the values that make $page are just pulled from the URL path - this means that someone could send someone to site.com/path/[removed]xssattack[removed] and use it for a CSFR/XSS.


Code:
<?php
class MY_Exceptions extends CI_Exceptions {
    
    /**
     * Constructor
     *
     */    
    function MY_Exceptions(){
        parent::CI_Exceptions();
    }

    /**
     * 404 Page Not Found Handler
     *
     * @access    private
     * @param    string
     * @return    string
     */
    function show_404($page = '') {    
        //Make the $page name XSS safe
        parent::show_404(htmlentities($page, ENT_QUOTES, 'UTF-8'));
    }

}
?>


Messages In This Thread
XSS attack from Exceptions Lib? - by El Forum - 07-19-2008, 09:35 PM
XSS attack from Exceptions Lib? - by El Forum - 07-21-2008, 07:50 AM
XSS attack from Exceptions Lib? - by El Forum - 07-21-2008, 07:56 AM
XSS attack from Exceptions Lib? - by El Forum - 07-21-2008, 07:58 AM
XSS attack from Exceptions Lib? - by El Forum - 07-21-2008, 08:13 AM
XSS attack from Exceptions Lib? - by El Forum - 07-21-2008, 09:02 AM



Theme © iAndrew 2016 - Forum software by © MyBB