Welcome Guest, Not a member yet? Register   Sign In
CodeIgniter XSS Protection is good, but not enough by itself.
#3

[eluser]WanWizard[/eluser]
Read it. And find it of limited use.

None of the examples given pose a thread in itself. Whether or not a string is a thread, depends on where you use it. "FORMAT C:" is a totally innocent string. Unless typed in on the commandline of a Windows box.
The examples used 'could' be a thread if you echo the post variable back as part of an HTML tag. How likely is that, for anyone with a bit of common sense?

And, since the article was published only a few weeks ago, he could have checked 2.0 as well. Which would have revealed that the XSS clean functionality has been completely rewritten, which includes, amongst others, encoding.

I agree with Jelmers response to the article that global xss cleaning is often unnecessary, or even unwanted, and that you should always be conscious about the possible security issues with the application your building. And act upon that.


Messages In This Thread
CodeIgniter XSS Protection is good, but not enough by itself. - by El Forum - 09-16-2010, 01:44 PM



Theme © iAndrew 2016 - Forum software by © MyBB