Input Lib: XSS Clean

[eluser]louis w[/eluser]
Maybe not a "bug" but something that should be thought about and possibly improved.

With global xss clean on, someone is able to manipulate the output of page by injecting html into a variable when that variable is being output directly to the browser (e.g. to pass long to the next stage of a form)

Example:
destination = whatever"><h1>Hello</h1>youwhat

[eluser]Pascal Kriete[/eluser]
The xss filter is not an html filter. It filters javascript and other code that might be harmful to you or your users. Everything else is up to you as the developer.

Does that clear things up?

[eluser]louis w[/eluser]
I understand, just saying it might be nice to offer additional support to protect against xss attacks. And could be harmful. This would be considered an XSS reflected/trusted site attack.

somevar=foo”><a >Click here to log in</a>

I understand that you would not want to scrub this for every posted element, but could be handy.

[eluser]Pascal Kriete[/eluser]
If you don't want html to display, convert it to entities. Sorry if I'm being thick, but I'm just not seeing how this is harmful.

Now if you're putting this into a form, it should definitely be using form_prep to make sure you're not breaking out of the entry field.

[eluser]louis w[/eluser]
form_prep : This looks promising, I have never noticed this helper.