Welcome Guest, Not a member yet? Register   Sign In
A little confusion about security
#3

(09-07-2015, 04:45 AM)Diederik Wrote: I hope I understand your question correctly, I think you could use the xss_clean() for this job. It will allow you to populate the inputs in your form with the (unescaped) posted data and then have xss_clean() filter the entire output before sending it back to the browser.

Hello Diederik,

First, thanks for your reply. Smile

Because I use CI's input library, my post data is automatically escaped. The problem is, before I send form data to my data base, I use ascii_to_entities($this->input->post('content')) to ensure, all characters like ", ', รค, etc. are converted to they're entity, for example an apostrophe in word has the code 145 (I think), but I need the code 39, to make it actually appear in my browser. ascii_to_entities() does this. It converts the apostrophe to ', which is the apostrophe I want.
However, if I use the form_helper, which internally uses html_escape, it converts & to &. The next time I save this, ascii_to_entities() converts & and the whole thing repeats.

Because I don't use bb-code to create my post-entries, the html_escape()-function converts tags like <p>, <br> and so on, to i.e. &lt;br&gt;, which is absolutly ok, because it prevents executing for example javascript (<script>alert(document.cookie)</script>)

When i turn the html_escape of (by using i.e. form_input('field', 'value', false)Wink, it is a security issue, because the js-code on top could be executed.

Hope this was more clear, don't know how to describe this kind of problem.. Confused

-.-.-.-.-.-.-.-.- Angel -.-.-.-.-.-.-.-.-
Reply


Messages In This Thread
A little confusion about security - by Urastor - 09-06-2015, 12:37 PM
RE: A little confusion about security - by Urastor - 09-07-2015, 06:18 AM



Theme © iAndrew 2016 - Forum software by © MyBB