XSS replaces in the documentation |
(02-02-2018, 11:57 AM)Elias Wrote: Hello! That's not an "XSS replace" ... The manual doesn't concern itself with XSS, because it doesn't need to. We use Sphinx to generate the manual from sources; recently updated it, and apparently the older version used to render HTML entities, so they were written like that in our sources, to avoid the string 'http://' being auto-converted to an anchor tag. Fixed the ones I've found: https://github.com/bcit-ci/CodeIgniter/c...c3081db7c0 (02-10-2018, 12:46 PM)Elias Wrote: And as it seems to me, I found a bug in xss_clean() function/method: Not a bug. (02-11-2018, 10:46 AM)wishmaster Wrote: Because regexp is bad idea for filtering. Use Zend escaper and/or HTMLpurifier That regexp argument is a red herring. It's true that regular expressions probably aren't the best tool for the job, but that's not at all what the flaw in xss_clean() is. The problem is that it is blind to context. |
Messages In This Thread |
XSS replaces in the documentation - by Elias - 02-02-2018, 11:57 AM
RE: XSS replaces in the documentation - by Elias - 02-10-2018, 12:46 PM
RE: XSS replaces in the documentation - by wishmaster - 02-10-2018, 02:25 PM
RE: XSS replaces in the documentation - by falko - 02-10-2018, 11:23 PM
RE: XSS replaces in the documentation - by PaulD - 02-11-2018, 04:08 AM
RE: XSS replaces in the documentation - by Elias - 02-11-2018, 09:57 AM
RE: XSS replaces in the documentation - by wishmaster - 02-11-2018, 10:46 AM
RE: XSS replaces in the documentation - by PaulD - 02-11-2018, 11:15 AM
RE: XSS replaces in the documentation - by Narf - 02-12-2018, 06:24 AM
RE: XSS replaces in the documentation - by Elias - 02-12-2018, 07:21 AM
RE: XSS replaces in the documentation - by Narf - 02-14-2018, 11:28 AM
RE: XSS replaces in the documentation - by Elias - 02-15-2018, 08:01 AM
RE: XSS replaces in the documentation - by Narf - 02-22-2018, 01:31 AM
|