Welcome Guest, Not a member yet? Register   Sign In
[solved] Form Validation |xss_clean| and incomplete HTML Links (<a> tag, a tag)

Hello all.

This is my first post, and I'm fairly new with the Codeigniter Framework. I'm currently using the latest version (2.0.2).

I've run into a strange response when submitting data from a form using the form_validation class and using its "xss_clean" form prepping function.

From what I can tell xss_clean sanitizes the "naughty" elements. This is straight from system/core/security.php

* Sanitize naughty HTML elements
         * If a tag containing any of the words in the list
         * below is found, the tag gets converted to entities.
         * So this: &lt;blink&gt;
         * Becomes: &lt;blink&gt;
        $naughty = 'alert|applet|audio|basefont|base|behavior|bgsound|blink|body|embed|expression|form|frameset|frame|head|html|ilayer|iframe|input|isindex|layer|link|meta|object|plaintext|style|script|textarea|title|video|xml|xss';
        $str = preg_replace_callback('#<(/*\s*)('.$naughty.')([^><]*)([><]*)#is', array($this, '_sanitize_naughty_html'), $str);

This is great. However, if you submit an incomplete HTML Link to a database or <a> tag (a tag) like this
<a href="url">Link text
You're page is going to be in a world of hurt if you echo out the response from the database later. Everything following the echoed out incomplete <a> tag is apart of the said link. I'm wondering if this is a bug or I'm missing something entirely?

I found I could resolve the problem by adding the a tag to the sanitized naughty HTML elements in the security.php file.

Thanks for any help.

Edit: This actually goes for other open HTML elements like <select>, etc

Edit 2: Easy fix, add strip_tags to form validation rules.

Messages In This Thread
[solved] Form Validation |xss_clean| and incomplete HTML Links (<a> tag, a tag) - by El Forum - 07-08-2011, 06:36 PM

Theme © iAndrew 2016 - Forum software by © MyBB