Welcome Guest, Not a member yet? Register   Sign In
CodeIgniter Forums Archived Discussions Archived Development & Programming xss_clean bug
xss_clean bug
  • El Forum
    Guest
  •  
#1
07-10-2008, 03:39 AM

[eluser]Nielsk[/eluser]
Hello,

I was working on my community when I was checking the security side. When you use " /> in a input it will be under the input like this:
&lt;input name="title" id="title" type="text" value="DefQon.1 "&gt;&gt;&gt;" /></div>

The quote (") should also be edited in the xss_clean else it can't be defined as xss cleaner.

Niels

ps: if some text is wrong formulated. I'm tired at the moment because of some problems at home.
  • El Forum
    Guest
  •  
#2
07-10-2008, 03:51 AM

[eluser]xwero[/eluser]
The double quote is not considered as an xss risk because it's a valid character in normal text.

But there are ways to prevent user values to mess up your html and one of them is the use of the htmlentities function.
  • El Forum
    Guest
  •  
#3
07-10-2008, 04:17 AM

[eluser]Nielsk[/eluser]
I know that. I'm a freelance security expert. I work with XSS and CSRF almost every day.
  • El Forum
    Guest
  •  
#4
07-10-2008, 04:20 AM

[eluser]xwero[/eluser]
I was just mentioning it Smile
  • El Forum
    Guest
  •  
#5
07-10-2008, 08:20 PM

[eluser]Derek Allard[/eluser]
Hi Nielsk. Thanks for reporting. I'm sorry, I'm not following what are you suggesting. Could you elaborate? If you'd prefer to continue this off-board, please feel free to email me ([email protected]).
  • El Forum
    Guest
  •  
#6
07-11-2008, 01:25 AM

[eluser]Nielsk[/eluser]
[quote author="Derek Allard" date="1215760824"]Hi Nielsk. Thanks for reporting. I'm sorry, I'm not following what are you suggesting. Could you elaborate? If you'd prefer to continue this off-board, please feel free to email me ([email protected]).[/quote]
I have mailed youSmile
  • El Forum
    Guest
  •  
#7
07-11-2008, 11:20 AM

[eluser]Derek Jones[/eluser]
Nielsk, thanks for reporting; Derek shared your email with me, and I think it's just a small misunderstanding. xss_clean() does not make text safe for use in tag attributes, it makes it safe for output to the screen. What you demonstrate is still not an XSS weakness, though it will certainly break your tags. What you want to use in addition to xss_clean() is form_prep() from the Form helper. e.g. instead of:

Code:
&lt;input name="title" type="text" value="&lt;?=$this-&gt;input->xss_clean('DefQon.1 " />');?&gt;" />

You would use (after the form helper is loaded)

Code:
&lt;input name="title" type="text" value="&lt;?=form_prep($this-&gt;input->xss_clean('DefQon.1 " />'));?&gt;" />




Theme © iAndrew 2016 - Forum software by © MyBB