What is the purpose of restricting allowed Url characters?

#1
[eluser]eroy4u[/eluser]
Hello,
as in CI,
it recommends restricting url characters to "a-z 0-9~%.:_-" only,
I cannot think of a situation that this restriction will help in security.

As I have the need for releasing this restriction,
can anybody helps how this restriction will help in security?

Thanks.

#2
[eluser]Rick Jolly[/eluser]
http://ellislab.com/forums/viewthread/88637/

#3
[eluser]eroy4u[/eluser]
Thanks.
I think the idea is to prevent passing something like "[removed][removed]" to the controller function as parameter as it's a cross-site scripting hole.
However, I think it is a bad example of imposing security measure. As the best practice is to validate every piece of input data.

#4
[eluser]Derek Allard[/eluser]
You're welcome to do just that eroy4u. CI even gives instructions in the code for how to do exactly what you discuss. I don't argue with you that its best practice to validate every piece of input data (CI allows you to turn this on globally easily, and I've recommended that on many occasions).

If you don't want to use a feature of CI, then don't. It helps where you need help, and get's the hell out of your way when you don't, but allow me to publicly say right now that this is a GOOD example of imposing a security measure, and while for some specific development goals you may want it turned off, it is a smart default for the vast, vast majority of web applications.


Digg   Delicious   Reddit   Facebook   Twitter   StumbleUpon  


Users browsing this thread:
1 Guest(s)


  Theme © 2014 iAndrew  
Powered By MyBB, © 2002-2019 MyBB Group.